Advertisement

Journal of Cryptology

, Volume 28, Issue 1, pp 110–160 | Cite as

Cryptanalysis of SHA-0 and Reduced SHA-1

  • Eli Biham
  • Rafi Chen
  • Antoine Joux
Article
  • 821 Downloads

Abstract

We present new techniques for the cryptanalysis of hash functions. Our contributions are two-fold: both on the search level of the compression function and on the meta-structure. The former led to the neutral bits technique, while the latter led to the multi-block technique. The usefulness of these techniques is demonstrated on SHA-0 and SHA-1, but they are applicable to other hash functions as well. We use these techniques to find a collision of the full SHA-0 which is the first published collision of this function, and very efficient collision attacks on reduced versions of SHA-1.

Keywords

Differential cryptanalysis SHA-1 Hash functions 

Notes

Acknowledgments

This research was supported in part by the Israel MOD research and Technology unit.

References

  1. 1.
    J.-P. Aumasson, S. Fischer, S. Khazaei, W. Meier, C. Rechberger, New features of Latin dances, in FSE 2008. LNCS, vol. 5086 (Springer, Berlin, 2008), pp. 470–488Google Scholar
  2. 2.
    E. Biham, New results on SHA-0 and SHA-1, Stafford Tavares invited lecture in SAC 2004. http://www.cs.technion.ac.il/~biham/Reports/Slides/invited-talk-sac-2004.ps.gz
  3. 3.
    E. Biham, R. Chen, Near-collisions of SHA-0, in Advances in Cryptology, Proceedings of CRYPTO 2004. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 290–305Google Scholar
  4. 4.
    E. Biham, R. Chen, New results on SHA-0 and SHA-1, in CRYPTO 2004 Rump Session Google Scholar
  5. 5.
    E. Biham, A. Shamir, Differential cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer, in Advances in Cryptology, Proceedings of CRYPTO 1991. LNCS, vol. 576 (Springer, Berlin, 1992), pp. 156–171Google Scholar
  6. 6.
    E. Biham, A. Shamir, Differential Cryptanalysis of the Data Encryption Standard (Springer, Berlin, 1993)Google Scholar
  7. 7.
    E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, W. Jalby, Collisions of SHA-0 and reduced SHA-1, Advances in Cryptology, Proceedings of EUROCRYPT 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 36–57Google Scholar
  8. 8.
    B. den Boer, A. Bosselaers, An attack on the last two rounds of MD4, in Advances in Cryptology, Proceedings of CRYPTO 1991. LNCS, vol. 576 (Springer, Berlin, 1992), pp. 194–203Google Scholar
  9. 9.
    B. den Boer, A. Bosselaers, Collision of the compression function of MD5, in Advances in Cryptology, Proceedings of EUROCRYPT 1993. LNCS, vol. 765 (Springer, Berlin, 1994), pp. 293–304Google Scholar
  10. 10.
    F. Chabaud, A. Joux, Differential collisions in SHA-0, in Advances in Cryptology, Proceedings of CRYPTO ’98. LNCS, vol. 1462 (Springer, Berlin, 1999), pp. 56–71Google Scholar
  11. 11.
    R. Chen, New Techniques for Cryptanalysis of Cryptographic Hash Functions, Ph.D. thesis, Technion, 2011. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2011/PHD/PHD-2011-08.pdf and https://www.iacr.org/phds/index.php?p=detail&entry=651
  12. 12.
    Ivan B. Damgård, A design principle for Hash functions, Advances in Cryptology, Proceedings of CRYPTO 1989. LNCS, vol. 435 (Springer, Berlin, 1990), pp. 416–427Google Scholar
  13. 13.
    C. De Cannière, C. Rechberger, Finding SHA-1 characteristics: general results and applications, in Advances in Cryptology, Proceedings of ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 1–20Google Scholar
  14. 14.
    C. De Cannière, F. Mendel, C. Rechberger, Collisions for 70-Step SHA-1: on the full cost of collision search, in Advances in Cryptology, Proceedings of SAC 2007. LNCS, vol. 4876 (Springer, Berlin, 2007), pp. 56–73Google Scholar
  15. 15.
    H. Dobbertin, Cryptanalysis of MD4. J. Cryptol. 11, 253–271 (1998)Google Scholar
  16. 16.
    H. Dobbertin, Cryptanalysis of MD5 compress, in EUROCRYPT 1996 Rump Session Google Scholar
  17. 17.
    RIPE, Integrity primitives for secure information systems, in Final Report of RACE Integrity Primitives Evaluation (RIPE Race 1040). LNCS, vol. 1040 (Springer, Berlin, 1995)Google Scholar
  18. 18.
    H. Dobbertin, A. Bosselaers, B. Preneel, RIPEMD-160: a strengthened version of RIPEMD, in Proceedings of Fast Software Encryption. LNCS, vol. 1039 (Springer, Berlin, 1996), pp. 71–82Google Scholar
  19. 19.
    S. Fischer, S. Khazaei, W. Meier, Chosen IV statistical analysis for key recovery attacks on stream ciphers, in AFRICACRYPT 2008. LNCS, vol. 5023 (Springer, Berlin, 2008), pp. 236–245Google Scholar
  20. 20.
    A. Joux, Collisions in SHA-0, in CRYPTO 2004 Rump Session Google Scholar
  21. 21.
    E.A. Grechnikov, Collisions for 72-step and 73-step SHA-1: improvements in the method of characteristics. Cryptology, ePrint Archive 2010/413Google Scholar
  22. 22.
    E.A. Grechnikov, A.V. Adinetz, Collision for 75-step SHA-1: intensive parallelization with GPU. Cryptology, ePrint Archive 2011/641Google Scholar
  23. 23.
    A. Joux, T. Peyrin, Hash functions and the (amplified) Boomerang attack, in Advances in Cryptology, Proceedings of CRYPTO 2007. LNCS, vol. 4622 (Springer, Heidelberg, 2007), pp. 244–263Google Scholar
  24. 24.
    S. Khazaei, W. Meier, New directions in cryptanalysis of self-synchronizing stream ciphers, in INDOCRYPT 2008. LNCS, vol. 5365. (Springer, Berlin, 2008), pp 15–26Google Scholar
  25. 25.
    R. Merkle, One-way Hash function and DES, in Advances in Cryptology, Proceedings of CRYPTO 1989. LNCS, vol. 435 (Springer, Berlin, 1990), pp. 428–446Google Scholar
  26. 26.
    R. Merkle, A fast software one-way Hash function. J. Cryptol. 3(1), 43–58 (1990)Google Scholar
  27. 27.
    S. Miyaguchi, K. Ohta, M. Iwata, 128-bit hash function (N-Hash), in Proceedings of SECURICOM’90, March 1990, pp. 123–137Google Scholar
  28. 28.
    National Institute of Standards and Technologies, Secure Hash standard, in Federal Information Processing Standards, FIPS-180 (U.S. Department of Commerce, Washington, 1993)Google Scholar
  29. 29.
    National Institute of Standards and Technologies, Secure Hash standard, in Federal Information Processing Standards, FIPS-180-1 (U.S. Department of Commerce, Washington, 1995)Google Scholar
  30. 30.
    V. Rijmen, E. Oswald, Update on SHA-1, in RSA Crypto Track 2005. LNCS, vol. 3376 (Springer, Heidelberg, 2005), pp. 58–71Google Scholar
  31. 31.
    R. Rivest, The MD4 message-digest algorithm, in Advances in Cryptology, Proceedings of CRYPTO 1990. LNCS, vol. 537 (Springer, Berlin, 1990), pp. 303–311Google Scholar
  32. 32.
    R. Rivest, The MD5 message-digest algorithm, in Network Working Group Request for Comments: 1321, April 1992Google Scholar
  33. 33.
    M. Stevens, New collision attacks on SHA-1 based on optimal joint local-collision analysis, in Proceedings of EUROCRYPT 2013. LNCS, vol. 7881 (Springer, Berlin, 2013), pp. 245–261Google Scholar
  34. 34.
    D. Wagner, The Boomerang attack, in Advances in Cryptology, Proceedings of FSE 1999. LNCS, vol. 1636 (Springer, Berlin, 1999), pp. 156–170Google Scholar
  35. 35.
    X. Wang, X. Lai, H. Chen, X. Yu, Cryptanalysis of the Hash functions MD4 and RIPEMD, in Advances in Cryptology, Proceedings of EUROCRYPT 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 1–18Google Scholar
  36. 36.
    X. Wang, D. Feng, X. Lai, H. Yu, Collisions for Hash functions MD4, MD5, in HAVAL-128 and RIPEMD. http://eprint.iacr.org/2004/199
  37. 37.
    X. Wang, H. Yu, How to break MD5 and other Hash functions, in Advances in Cryptology, Proceedings of EUROCRYPT 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 19–35Google Scholar
  38. 38.
    X. Wang, H. Yu, Y.L. Yin, Efficient collision search attacks on SHA-0, in Advances in Cryptology, Proceedings of CRYPTO 2005. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 1–16Google Scholar
  39. 39.
    X. Wang, H. Yu, Y.L. Yin, Finding collisions in the full SHA-1, in Advances in Cryptology, Proceedings of CRYPTO 2005. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 17–36Google Scholar
  40. 40.
    X. Wang, A.C. Yao, F. Yao, Cryptanalysis on SHA-1, Presented by Adi Shamir at CRYPTO 2005 rump session. http://csrc.nist.gov/groups/ST/hash/documents/Wang_SHA1-New-Result.pdf
  41. 41.
    H. Yu, X. Wang, A. Yun, S. Park, Cryptanalysis of the full HAVAL with 4 and 5 passes, in Advances in Cryptology, Proceedings of FSE 2006. LNCS, vol. 4047 (Springer, Berlin, 2006), pp. 89–110Google Scholar
  42. 42.
    Y. Zheng, J. Pieprzyk, J. Sebbery, HAVAL—a one-way algorithm with variable length of output, in Asiacrypt 1992. LNCS, vol. 718 (Springer, Berlin, 1993), pp. 83–104Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  1. 1.Computer Science DepartmentTechnion – Israel Institute of TechnologyHaifa Israel
  2. 2.Laboratoire PRISM, CNRS UMR-8144Université de Versailles St-Quentin-en-YvelinesVersailles CedexFrance

Personalised recommendations