Advertisement

The First Collision for Full SHA-1

  • Marc StevensEmail author
  • Elie Bursztein
  • Pierre Karpman
  • Ange Albertini
  • Yarik Markov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10401)

Abstract

SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks.

Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes.

A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack.

In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision. Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two distinct PDF documents with the same SHA-1 hash that display different arbitrarily-chosen visual contents.

We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to \(2^{63.1}\) calls to SHA-1’s compression function, and took approximately 6 500 CPU years and 100 GPU years. While the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search.

Keywords

Hash function Cryptanalysis Collision attack Collision example Differential path construction 

Notes

Acknowledgements

We thank the anonymous reviewers for their helpful comments, and Michael X. Lyons for pointing out a few minor inconsistencies between the presented differential path and the actual colliding blocks.

Supplementary material

References

  1. 1.
    Albertini, A., Aumasson, J.-P., Eichlseder, M., Mendel, F., Schläffer, M.: Malicious hashing: Eve’s variant of SHA-1. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 1–19. Springer, Cham (2014). doi: 10.1007/978-3-319-13051-4_1 CrossRefGoogle Scholar
  2. 2.
    Albertini, A., et al.: Exploiting identical-prefix hash function collisions. Draft (2017)Google Scholar
  3. 3.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_18 CrossRefGoogle Scholar
  4. 4.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer [6], pp. 36–57 (2005)Google Scholar
  5. 5.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998). doi: 10.1007/BFb0055720 Google Scholar
  6. 6.
    Cramer, R. (ed.): EUROCRYPT. LNCS, vol. 3494. Springer, Cham (2005)zbMATHGoogle Scholar
  7. 7.
    Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-step SHA-1: on the full cost of collision search. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56–73. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77360-3_4 CrossRefGoogle Scholar
  8. 8.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006). doi: 10.1007/11935230_1 CrossRefGoogle Scholar
  9. 9.
    Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 194–203. Springer, Heidelberg (1992). doi: 10.1007/3-540-46766-1_14 Google Scholar
  10. 10.
    Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_26 Google Scholar
  11. 11.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996). doi: 10.1007/3-540-60865-6_43 CrossRefGoogle Scholar
  12. 12.
    Fillinger, M., Stevens, M.: Reverse-engineering of the cryptanalytic attack used in the flame super-malware. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 586–611. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_24 CrossRefGoogle Scholar
  13. 13.
    Cab Forum: Ballot 152 - Issuance of SHA-1 certificates through 2016. Cabforum mailing List (2015). https://cabforum.org/pipermail/public/2015-October/006081.html
  14. 14.
    Gebhardt, M., Illies, G., Schindler, W.: A note on practical value of single hash collisions for special file formats. In: NIST First Cryptographic Hash Workshop, October 2005Google Scholar
  15. 15.
    Grechnikov, E.: Collisions for 72-step and 73-step SHA-1: improvements in the method of characteristics. Cryptology ePrint Archive, Report 2010/413 (2010)Google Scholar
  16. 16.
    Grechnikov, E., Adinetz, A.: Collision for 75-step SHA-1: intensive parallelization with GPU. Cryptology ePrint Archive, Report 2011/641 (2011)Google Scholar
  17. 17.
    Hashclash project webpage. https://marc-stevens.nl/p/hashclash/. Accessed May 2017
  18. 18.
    InfoWorld: Oracle to Java devs: stop signing jar files with MD5, January 2017Google Scholar
  19. 19.
    Joux, A., Peyrin, T.: Hash functions and the (amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74143-5_14 CrossRefGoogle Scholar
  20. 20.
    Jutla, C.S., Patthak, A.C.: A matching lower bound on the minimum weight of SHA-1 expansion code. IACR Cryptology ePrint Archive 2005, 266 (2005)Google Scholar
  21. 21.
    Karpman, P., Peyrin, T., Stevens, M.: Practical free-start collision attacks on 76-step SHA-1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 623–642. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_30 CrossRefGoogle Scholar
  22. 22.
    Kleinjung, T., et al.: Factorization of a 768-bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_18 CrossRefGoogle Scholar
  23. 23.
    Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C.: Computation of a 768-bit prime field discrete logarithm. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 185–201. Springer, Cham (2017). doi: 10.1007/978-3-319-56620-7_7 CrossRefGoogle Scholar
  24. 24.
    CrySyS Lab: sKyWiper (a.k.a. flame a.k.a. flamer): a complex malware for targeted attacks. Laboratory of Cryptography and System Security, Budapest University of Technology and Economics, 31 May 2012Google Scholar
  25. 25.
    Kaspersky Lab: The flame: questions and answers. Securelist blog, 28 May 2012Google Scholar
  26. 26.
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Cryptogr. 59(1–3), 247–263 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Manuel, S., Peyrin, T.: Collisions on SHA-0 in one hour. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 16–35. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-71039-4_2 CrossRefGoogle Scholar
  28. 28.
    Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: The impact of carries on the complexity of collision attacks on SHA-1. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 278–292. Springer, Heidelberg (2006). doi: 10.1007/11799313_18 CrossRefGoogle Scholar
  29. 29.
    Third author’s mum, T.: SHA-1 is still being used. Personnal communicationGoogle Scholar
  30. 30.
    National Institute of Standards and Technology: FIPS 180: Secure Hash Standard, May 1993Google Scholar
  31. 31.
    National Institute of Standards and Technology: FIPS 180-1: Secure Hash Standard, April 1995Google Scholar
  32. 32.
    Nossum, V.: SAT-based preimage attacks on SHA-1. Master’s thesis, University of Oslo (2012)Google Scholar
  33. 33.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Post, T.W.: US, Israel developed flame computer virus to slow Iranian nuclear efforts, officials say, June 2012Google Scholar
  35. 35.
    Pramstaller, N., Rechberger, C., Rijmen, V.: Exploiting coding theory for collision attacks on SHA-1. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 78–95. Springer, Heidelberg (2005). doi: 10.1007/11586821_7 CrossRefGoogle Scholar
  36. 36.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991). doi: 10.1007/3-540-38424-3_22 Google Scholar
  37. 37.
    Rivest, R.L.: RFC 1321: The MD5 Message-Digest Algorithm, April 1992Google Scholar
  38. 38.
    Schneier, B.: When will we see collisions for SHA-1? Blog (2012)Google Scholar
  39. 39.
    Amazon Web Services: Amazon EC2 - Virtual Server Hosting. aws.amazon.com. Accessed Jan 2016
  40. 40.
    Shoup, V. (ed.): CRYPTO. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  41. 41.
    Stevens, M.: Attacks on hash functions and applications. Ph.D. thesis, Leiden University, June 2012Google Scholar
  42. 42.
    Stevens, M.: Counter-cryptanalysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 129–146. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_8 CrossRefGoogle Scholar
  43. 43.
    Stevens, M.: New collision attacks on SHA-1 based on optimal joint local-collision analysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 245–261. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_15 CrossRefGoogle Scholar
  44. 44.
    Stevens, M., Karpman, P., Peyrin, T.: Freestart collision for full SHA-1. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 459–483. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_18 CrossRefGoogle Scholar
  45. 45.
    Stevens, M., Lenstra, A., Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-72540-4_1 CrossRefGoogle Scholar
  46. 46.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_4 CrossRefGoogle Scholar
  47. 47.
    ThreadPost: SHA-1 end times have arrived, January 2017Google Scholar
  48. 48.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup [40], pp. 17–36 (2005)Google Scholar
  49. 49.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [6], pp. 19–35 (2005)Google Scholar
  50. 50.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup [40], pp. 1–16 (2005)Google Scholar
  51. 51.
    Yajima, J., Iwasaki, T., Naito, Y., Sasaki, Y., Shimoyama, T., Peyrin, T., Kunihiro, N., Ohta, K.: A strict evaluation on the number of conditions for SHA-1 collision search. IEICE Transactions, vol. 92-A, no. 1, pp. 87–95 (2009). http://search.ieice.org/bin/summary.php?id=e92-a_1_87&category=A&year=2009&lang=E&abst=
  52. 52.
    Yajima, J., Sasaki, Y., Naito, Y., Iwasaki, T., Shimoyama, T., Kunihiro, N., Ohta, K.: A new strategy for finding a differential path of SHA-1. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 45–58. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73458-1_4 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Marc Stevens
    • 1
    Email author
  • Elie Bursztein
    • 2
  • Pierre Karpman
    • 1
  • Ange Albertini
    • 2
  • Yarik Markov
    • 2
  1. 1.CWI AmsterdamAmsterdamThe Netherlands
  2. 2.Google ResearchMountain ViewUSA

Personalised recommendations