Differential collisions in SHA-0
In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-0 with complexity 261, which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
KeywordsHash Function Block Cipher Compression Function Elementary Probability Message Block
- 2.B. den Boer, and A. Bosselaers. Collisions for the compression function of MD5, EUROCRYPT'93 LNCS 773, pp 293–304, 1994.Google Scholar
- 4.H. Dobbertin. Cryptanalysis of MD4, Fast Software Encryption LNCS 1039, pp 53–69, 1996.Google Scholar
- 6.R. Rivest. The MD5 Message-Digest Algorithm, Network Working Group Request for Comments: 1321, April 1992. http://theory.lcs.mit.edu/~rivest/Rivest-MD5.txtGoogle Scholar
- 7.Secure Hash Standard. Federal Information Processing Standard Publication # 180, U.S. Department of Commerce, National Institute of Standards and Technology, 1993.Google Scholar
- 8.Secure Hash Standard. Federal Information Processing Standard Publication # 180-1, U.S. Department of Commerce, National Institute of Standards and Technology, 1995 (addendum to ).Google Scholar