Abstract
The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 269, which is only 1/2,000 of the 280 operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 256 times at a maximum, but the complexity of 269 hash operations to break SHA-1 does not mean 269 SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 269 SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-μm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
NIST, Secure Hash Standard, FIPS PUB 180 (May 1993)
NIST, Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard (July 1994)
NIST, Secure Hash Standard, FIPS PUB 180-1 (April 1995)
NIST, Secure Hash Standard (SHS), FIPS PUB 180-2 (August 2002)
NIST, FIPS 180-2, Secure Hash Standard Change Notice 1, (February 2004), http://csrc.nist.gov/publications/fips/fips180-2/FIPS180-2_changenotice.pdf
Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)
Rivest, R.L.: The MD4 Message Digest Algorithm. RFC 1186 (October 1990)
Rivest, R.L.: The MD4 Message Digest Algorithm. RFC 1320 (April 1992)
Rivest, R.L.: The MD5 Message Digest Algorithm. RFC 1321 (April 1992)
Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)
Biham, E., Chen, R.: Near-Collisions of SHA-0. Cryptology ePrint Archive: Report 2004/146 (June 2004), http://eprint.iacr.org/2004/146
Joux, A.: Collisions for SHA-0. In: CRYPTO 2004 rump session (August 2004), http://www.mail-archive.com/cryptography%40metzdowd.com/msg02554.html
Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for Hash Functions MD4, MD5, HAVAL-128, and RIPEMD. In: CRYPTO 2004 rump session (August 2004), http://www.infosec.sdu.edu.cn/paper/199.pdf
Wang, X., Yin, Y.L., Yu, H.: Collision Search Attacks on SHA1 (2005), http://www.infosec.sdu.edu.cn/paper/sha-attack-note.pdf
Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf
Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf
Wang, X., Yin, Y.L., Yu, H.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/sha0-crypto-author-new.pdf
Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2-yao.pdf
Matusiewicz, K., Pieprzyk, J.: Finding Good Differential Patterns for Attacks on SHA-1. Cryptology ePrint Archive: Report 2004/364 (December 2004), http://eprint.iacr.org/2004/364
Rijmen, V., Oswald, E.: Update on SHA-1. Cryptology ePrint Archive: Report 2005/010 (December 2004), http://eprint.iacr.org/2005/010.pdf
Yuval, G.: How to swindle Rabin. Cryptologia 3(3), 187–189 (1979)
Yin, Y.L.: personal communication (July 2005)
Satoh, A., Inoue, T.: ASIC-Hardware-Focused Comparison for Hash Functions MD5, RIPEMD-160, and SHS. In: Proc. ITCC 2005 (International Conference on Information Technology), April 2005, vol. 1, pp. 532–537 (2005)
IBM Cu-11 Standard Cell / Gate Array ASIC, http://www-03.ibm.com/chips/products/asics/products/cu-11.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Satoh, A. (2005). Hardware Architecture and Cost Estimates for Breaking SHA-1. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds) Information Security. ISC 2005. Lecture Notes in Computer Science, vol 3650. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11556992_19
Download citation
DOI: https://doi.org/10.1007/11556992_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29001-8
Online ISBN: 978-3-540-31930-6
eBook Packages: Computer ScienceComputer Science (R0)