Practical Free-Start Collision Attacks on 76-step SHA-1

  • Pierre Karpman
  • Thomas Peyrin
  • Marc Stevens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9215)


In this paper we analyze the security of the compression function of SHA-1 against collision attacks, or equivalently free-start collisions on the hash function. While a lot of work has been dedicated to the analysis of SHA-1 in the past decade, this is the first time that free-start collisions have been considered for this function. We exploit the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years. This results in particular in better differential paths than the ones used for hash function collisions so far. Overall, our attack requires about \(2^{50}\) evaluations of the compression function in order to compute a one-block free-start collision for a 76-step reduced version, which is so far the highest number of steps reached for a collision on the SHA-1 compression function. We have developed an efficient GPU framework for the highly branching code typical of a cryptanalytic collision attack and used it in an optimized implementation of our attack on recent GTX 970 GPUs. We report that a single cheap US$ 350 GTX 970 is sufficient to find the collision in less than 5 days. This showcases how recent mainstream GPUs seem to be a good platform for expensive and even highly-branching cryptanalysis computations. Finally, our work should be taken as a reminder that cryptanalysis on SHA-1 continues to improve. This is yet another proof that the industry should quickly move away from using this function.


SHA-1 Hash function Cryptanalysis Free-start collision GPU implementation 


  1. 1.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  2. 2.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer [5], pp. 36–57Google Scholar
  3. 3.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990) zbMATHGoogle Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998) Google Scholar
  5. 5.
    Cramer, R. (ed.): EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005) zbMATHGoogle Scholar
  6. 6.
    Damgård, I.: A design principle for hash functions. In: Brassard [3], pp. 416–427Google Scholar
  7. 7.
    De Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-step SHA-1: on the full cost of collision search. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56–73. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  8. 8.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  9. 9.
    den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 194–203. Springer, Heidelberg (1992) Google Scholar
  10. 10.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD\(_5\). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994) Google Scholar
  11. 11.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  12. 12.
    Gilbert, H., Peyrin, T.: Super-sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  13. 13.
    Grechnikov, E.A.: Collisions for 72-step and 73-step SHA-1: improvements in the method of characteristics. IACR Cryptology ePrint Archive 2010, 413 (2010)Google Scholar
  14. 14.
    Grechnikov, E.A., Adinetz, A.V.: Collision for 75-step SHA-1: intensive parallelization with GPU. IACR Cryptology ePrint Archive 2011, 641 (2011)Google Scholar
  15. 15.
    Hashclash project webpage.
  16. 16.
    Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attack on the finalist Grøstl. In: Canteaut, A. (ed.) FES 2012. LNCS, vol. 7549, pp. 110–126. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Johansson, T., Nguyen, P.Q. (eds.): EUROCRYPT 2013. LNCS, vol. 7881. Springer, Heidelberg (2013). zbMATHGoogle Scholar
  18. 18.
    Joux, A., Peyrin, T.: Hash functions and the (amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  19. 19.
    Karpman, P., Peyrin, T., Stevens, M.: Practical free-start collision attacks on 76-step SHA-1. IACR Cryptology ePrint Archive 2015, 530 (2015)Google Scholar
  20. 20.
    Klíma, V.: Tunnels in hash functions: MD5 collisions within a minute. IACR Cryptology ePrint Archive 2006, 105 (2006)Google Scholar
  21. 21.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  22. 22.
    Landelle, F., Peyrin, T.: Cryptanalysis of full RIPEMD-128. In: Johansson and Nguyen [17], pp. 228–244.
  23. 23.
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Crypt. 59(1–3), 247–263 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  25. 25.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  26. 26.
    Mendel, F., Rijmen, V., Schläffer, M.: Collision attack on 5 rounds of Grøstl. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 509–521. Springer, Heidelberg (2015). Google Scholar
  27. 27.
    Merkle, R.C.: One way hash functions and DES. In: Brassard [3], pp. 428–446Google Scholar
  28. 28.
    National Institute of Standards and Technology: FIPS 180: Secure Hash Standard, May 1993Google Scholar
  29. 29.
    National Institute of Standards and Technology: FIPS 180–1: Secure Hash Standard, April 1995Google Scholar
  30. 30.
    National Institute of Standards and Technology: FIPS 180–2: Secure Hash Standard, August 2002Google Scholar
  31. 31.
    National Institute of Standards and Technology: Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, May 2014Google Scholar
  32. 32.
    Nvidia Corporation: Cuda C Programming Guide.
  33. 33.
    Nvidia Corporation: Nvidia Geforce GTX 970 Specifications.
  34. 34.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991) Google Scholar
  35. 35.
    Rivest, R.L.: RFC 1321: The MD5 Message-Digest Algorithm, April 1992Google Scholar
  36. 36.
    Saarinen, M.-J.O.: Cryptanalysis of block ciphers based on SHA-1 and MD5. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 36–44. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  37. 37.
    Stevens, M.: Attacks on Hash Functions and Applications. Ph.D. thesis, Leiden University, June 2012Google Scholar
  38. 38.
    Stevens, M.: Counter-cryptanalysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 129–146. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  39. 39.
    Stevens, M.: New collision attacks on SHA-1 based on optimal joint local-collision analysis. In: Johansson and Nguyen [17], pp. 245–261.
  40. 40.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007). http://dx.doi.or/10.1007/978-3-540-72540-4_1 CrossRefGoogle Scholar
  41. 41.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  42. 42.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  43. 43.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [5], pp. 19–35Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.InriaVilleurbanneFrance
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.Centrum Wiskunde and InformaticaAmsterdamThe Netherlands

Personalised recommendations