Advertisement

Practical Free-Start Collision Attacks on 76-step SHA-1

  • Pierre Karpman
  • Thomas Peyrin
  • Marc Stevens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9215)

Abstract

In this paper we analyze the security of the compression function of SHA-1 against collision attacks, or equivalently free-start collisions on the hash function. While a lot of work has been dedicated to the analysis of SHA-1 in the past decade, this is the first time that free-start collisions have been considered for this function. We exploit the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years. This results in particular in better differential paths than the ones used for hash function collisions so far. Overall, our attack requires about \(2^{50}\) evaluations of the compression function in order to compute a one-block free-start collision for a 76-step reduced version, which is so far the highest number of steps reached for a collision on the SHA-1 compression function. We have developed an efficient GPU framework for the highly branching code typical of a cryptanalytic collision attack and used it in an optimized implementation of our attack on recent GTX 970 GPUs. We report that a single cheap US$ 350 GTX 970 is sufficient to find the collision in less than 5 days. This showcases how recent mainstream GPUs seem to be a good platform for expensive and even highly-branching cryptanalysis computations. Finally, our work should be taken as a reminder that cryptanalysis on SHA-1 continues to improve. This is yet another proof that the industry should quickly move away from using this function.

Keywords

SHA-1 Hash function Cryptanalysis Free-start collision GPU implementation 

References

  1. 1.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  2. 2.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer [5], pp. 36–57Google Scholar
  3. 3.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990) zbMATHGoogle Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998) Google Scholar
  5. 5.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005) zbMATHGoogle Scholar
  6. 6.
    Damgård, I.: A design principle for hash functions. In: Brassard [3], pp. 416–427Google Scholar
  7. 7.
    De Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-step SHA-1: on the full cost of collision search. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56–73. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  8. 8.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  9. 9.
    den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 194–203. Springer, Heidelberg (1992) Google Scholar
  10. 10.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD\(_5\). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994) Google Scholar
  11. 11.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  12. 12.
    Gilbert, H., Peyrin, T.: Super-sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). http://dx.doi.org/10.1007/978-3-642-13858-4 CrossRefGoogle Scholar
  13. 13.
    Grechnikov, E.A.: Collisions for 72-step and 73-step SHA-1: improvements in the method of characteristics. IACR Cryptology ePrint Archive 2010, 413 (2010)Google Scholar
  14. 14.
    Grechnikov, E.A., Adinetz, A.V.: Collision for 75-step SHA-1: intensive parallelization with GPU. IACR Cryptology ePrint Archive 2011, 641 (2011)Google Scholar
  15. 15.
    Hashclash project webpage. https://marc-stevens.nl/p/hashclash/
  16. 16.
    Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attack on the finalist Grøstl. In: Canteaut, A. (ed.) FES 2012. LNCS, vol. 7549, pp. 110–126. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Johansson, T., Nguyen, P.Q. (eds.): EUROCRYPT 2013. LNCS, vol. 7881. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-38348-9 zbMATHGoogle Scholar
  18. 18.
    Joux, A., Peyrin, T.: Hash functions and the (amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  19. 19.
    Karpman, P., Peyrin, T., Stevens, M.: Practical free-start collision attacks on 76-step SHA-1. IACR Cryptology ePrint Archive 2015, 530 (2015)Google Scholar
  20. 20.
    Klíma, V.: Tunnels in hash functions: MD5 collisions within a minute. IACR Cryptology ePrint Archive 2006, 105 (2006)Google Scholar
  21. 21.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-10366-7 CrossRefGoogle Scholar
  22. 22.
    Landelle, F., Peyrin, T.: Cryptanalysis of full RIPEMD-128. In: Johansson and Nguyen [17], pp. 228–244. http://dx.doi.org/10.1007/978-3-642-38348-9
  23. 23.
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Crypt. 59(1–3), 247–263 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-05445-7 CrossRefGoogle Scholar
  25. 25.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-03317-9 CrossRefGoogle Scholar
  26. 26.
    Mendel, F., Rijmen, V., Schläffer, M.: Collision attack on 5 rounds of Grøstl. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 509–521. Springer, Heidelberg (2015). http://dx.doi.org/10.1007/978-3-662-46706-0 Google Scholar
  27. 27.
    Merkle, R.C.: One way hash functions and DES. In: Brassard [3], pp. 428–446Google Scholar
  28. 28.
    National Institute of Standards and Technology: FIPS 180: Secure Hash Standard, May 1993Google Scholar
  29. 29.
    National Institute of Standards and Technology: FIPS 180–1: Secure Hash Standard, April 1995Google Scholar
  30. 30.
    National Institute of Standards and Technology: FIPS 180–2: Secure Hash Standard, August 2002Google Scholar
  31. 31.
    National Institute of Standards and Technology: Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, May 2014Google Scholar
  32. 32.
    Nvidia Corporation: Cuda C Programming Guide. https://docs.nvidia.com/cuda/cuda-c-programming-guide
  33. 33.
    Nvidia Corporation: Nvidia Geforce GTX 970 Specifications. http://www.geforce.com/hardware/desktop-gpus/geforce-gtx-970/specifications
  34. 34.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991) Google Scholar
  35. 35.
    Rivest, R.L.: RFC 1321: The MD5 Message-Digest Algorithm, April 1992Google Scholar
  36. 36.
    Saarinen, M.-J.O.: Cryptanalysis of block ciphers based on SHA-1 and MD5. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 36–44. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  37. 37.
    Stevens, M.: Attacks on Hash Functions and Applications. Ph.D. thesis, Leiden University, June 2012Google Scholar
  38. 38.
    Stevens, M.: Counter-cryptanalysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 129–146. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-40041-4 CrossRefGoogle Scholar
  39. 39.
    Stevens, M.: New collision attacks on SHA-1 based on optimal joint local-collision analysis. In: Johansson and Nguyen [17], pp. 245–261. http://dx.doi.org/10.1007/978-3-642-38348-9
  40. 40.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007). http://dx.doi.or/10.1007/978-3-540-72540-4_1 CrossRefGoogle Scholar
  41. 41.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-03356-8 CrossRefGoogle Scholar
  42. 42.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  43. 43.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [5], pp. 19–35Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.InriaVilleurbanneFrance
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.Centrum Wiskunde and InformaticaAmsterdamThe Netherlands

Personalised recommendations