Advertisement

From Collisions to Chosen-Prefix Collisions Application to Full SHA-1

  • Gaëtan LeurentEmail author
  • Thomas PeyrinEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11478)

Abstract

A chosen-prefix collision attack is a stronger variant of a collision attack, where an arbitrary pair of challenge prefixes are turned into a collision. Chosen-prefix collisions are usually significantly harder to produce than (identical-prefix) collisions, but the practical impact of such an attack is much larger. While many cryptographic constructions rely on collision-resistance for their security proofs, collision attacks are hard to turn into break of concrete protocols, because the adversary has a limited control over the colliding messages. On the other hand, chosen-prefix collisions have been shown to break certificates (by creating a rogue CA) and many internet protocols (TLS, SSH, IPsec).

In this article, we propose new techniques to turn collision attacks into chosen-prefix collision attacks. Our strategy is composed of two phases: first a birthday search that aims at taking the random chaining variable difference (due to the chosen-prefix model) to a set of pre-defined target differences. Then, using a multi-block approach, carefully analysing the clustering effect, we map this new chaining variable difference to a colliding pair of states using techniques developed for collision attacks.

We apply those techniques to MD5 and SHA-1, and obtain improved attacks. In particular, we have a chosen-prefix collision attack against SHA-1 with complexity between \(2^{66.9}\) and \(2^{69.4}\) (depending on assumptions about the cost of finding near-collision blocks), while the best-known attack has complexity \(2^{77.1}\). This is within a small factor of the complexity of the classical collision attack on SHA-1 (estimated as \(2^{64.7}\)). This represents yet another warning that industries and users have to move away from using SHA-1 as soon as possible.

Keywords

Hash function Cryptanalysis Chosen-prefix collision SHA-1 MD5 

Notes

Acknowledgments

The authors would like to thank the anonymous referees for their helpful comments. The second author is supported by Temasek Laboratories, Singapore.

References

  1. 1.
    Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE and SSH. In: NDSS 2016. The Internet Society, February 2016Google Scholar
  2. 2.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28628-8_18CrossRefGoogle Scholar
  3. 3.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_3CrossRefGoogle Scholar
  4. 4.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0CrossRefzbMATHGoogle Scholar
  5. 5.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055720CrossRefzbMATHGoogle Scholar
  6. 6.
    Damgård, I.: A design principle for hash functions. In: [4], pp. 416–427Google Scholar
  7. 7.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_39CrossRefGoogle Scholar
  8. 8.
    De Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-step SHA-1: on the full cost of collision search. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56–73. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77360-3_4CrossRefGoogle Scholar
  9. 9.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_26CrossRefGoogle Scholar
  10. 10.
    Joux, A., Peyrin, T.: Hash functions and the (amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_14CrossRefGoogle Scholar
  11. 11.
    Karpman, P., Peyrin, T., Stevens, M.: Practical free-start collision attacks on 76-step SHA-1. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 623–642. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_30CrossRefGoogle Scholar
  12. 12.
    Klima, V.: Tunnels in hash functions: MD5 collisions within a minute. Cryptology ePrint Archive, Report 2006/105 (2006). http://eprint.iacr.org/2006/105
  13. 13.
    Lamberger, M., Pramstaller, N., Rechberger, C., Rijmen, V.: Second preimages for SMASH. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 101–111. Springer, Heidelberg (2006).  https://doi.org/10.1007/11967668_7CrossRefGoogle Scholar
  14. 14.
    Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_15CrossRefzbMATHGoogle Scholar
  15. 15.
    Mendel, F., Rijmen, V., Schläffer, M.: Collision attack on 5 rounds of Grøstl. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 509–521. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46706-0_26CrossRefGoogle Scholar
  16. 16.
    Merkle, R.C.: One way hash functions and DES. [4] 428–446Google Scholar
  17. 17.
    National Institute of Standards and Technology: FIPS 180: secure hash standard, May 1993Google Scholar
  18. 18.
    National Institute of Standards and Technology: FIPS 180–1: secure hash standard, April 1995Google Scholar
  19. 19.
    National Institute of Standards and Technology: FIPS 180–2: secure hash standard, August 2002Google Scholar
  20. 20.
    National Institute of Standards and Technology: FIPS 202: SHA-3 standard: permutation-based hash and extendable-output functions, August 2015Google Scholar
  21. 21.
    Peyrin, T.: Cryptanalysis of Grindahl. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 551–567. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_34CrossRefGoogle Scholar
  22. 22.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-38424-3_22CrossRefGoogle Scholar
  23. 23.
    Rivest, R.L.: RFC 1321: the MD5 message-digest algorithm. Internet Activities Board, April 1992Google Scholar
  24. 24.
    Stevens, M.: Attacks on hash functions and applications. Ph.D. thesis, Leiden University, June 2012Google Scholar
  25. 25.
    Stevens, M.: New collision attacks on SHA-1 based on optimal joint local-collision analysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 245–261. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_15CrossRefGoogle Scholar
  26. 26.
    Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63688-7_19CrossRefGoogle Scholar
  27. 27.
    Stevens, M., Karpman, P., Peyrin, T.: Freestart collision for full SHA-1. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 459–483. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_18CrossRefGoogle Scholar
  28. 28.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72540-4_1CrossRefGoogle Scholar
  29. 29.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_4CrossRefGoogle Scholar
  30. 30.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_1CrossRefGoogle Scholar
  32. 32.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_2CrossRefGoogle Scholar
  33. 33.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_2CrossRefGoogle Scholar
  34. 34.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_1CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.InriaParisFrance
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.Temasek LaboratoriesSingaporeSingapore

Personalised recommendations