Advertisement

Hardware Architecture and Cost Estimates for Breaking SHA-1

  • Akashi Satoh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3650)

Abstract

The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 269, which is only 1/2,000 of the 280 operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 256 times at a maximum, but the complexity of 269 hash operations to break SHA-1 does not mean 269 SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 269 SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-μm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.

Keywords

Hash Function Hardware Architecture Message Block Local Collision Brute Force Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    NIST, Secure Hash Standard, FIPS PUB 180 (May 1993)Google Scholar
  2. 2.
    NIST, Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard (July 1994)Google Scholar
  3. 3.
    NIST, Secure Hash Standard, FIPS PUB 180-1 (April 1995)Google Scholar
  4. 4.
    NIST, Secure Hash Standard (SHS), FIPS PUB 180-2 (August 2002)Google Scholar
  5. 5.
    NIST, FIPS 180-2, Secure Hash Standard Change Notice 1, (February 2004), http://csrc.nist.gov/publications/fips/fips180-2/FIPS180-2_changenotice.pdf
  6. 6.
    Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  7. 7.
    Rivest, R.L.: The MD4 Message Digest Algorithm. RFC 1186 (October 1990)Google Scholar
  8. 8.
    Rivest, R.L.: The MD4 Message Digest Algorithm. RFC 1320 (April 1992)Google Scholar
  9. 9.
    Rivest, R.L.: The MD5 Message Digest Algorithm. RFC 1321 (April 1992)Google Scholar
  10. 10.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  11. 11.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. Cryptology ePrint Archive: Report 2004/146 (June 2004), http://eprint.iacr.org/2004/146
  12. 12.
    Joux, A.: Collisions for SHA-0. In: CRYPTO 2004 rump session (August 2004), http://www.mail-archive.com/cryptography%40metzdowd.com/msg02554.html
  13. 13.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for Hash Functions MD4, MD5, HAVAL-128, and RIPEMD. In: CRYPTO 2004 rump session (August 2004), http://www.infosec.sdu.edu.cn/paper/199.pdf
  14. 14.
    Wang, X., Yin, Y.L., Yu, H.: Collision Search Attacks on SHA1 (2005), http://www.infosec.sdu.edu.cn/paper/sha-attack-note.pdf
  15. 15.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/md4-ripemd-attck.pdf CrossRefGoogle Scholar
  16. 16.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf CrossRefGoogle Scholar
  17. 17.
    Wang, X., Yin, Y.L., Yu, H.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/sha0-crypto-author-new.pdf Google Scholar
  18. 18.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005), http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2-yao.pdf Google Scholar
  19. 19.
    Matusiewicz, K., Pieprzyk, J.: Finding Good Differential Patterns for Attacks on SHA-1. Cryptology ePrint Archive: Report 2004/364 (December 2004), http://eprint.iacr.org/2004/364
  20. 20.
    Rijmen, V., Oswald, E.: Update on SHA-1. Cryptology ePrint Archive: Report 2005/010 (December 2004), http://eprint.iacr.org/2005/010.pdf
  21. 21.
    Yuval, G.: How to swindle Rabin. Cryptologia 3(3), 187–189 (1979)CrossRefGoogle Scholar
  22. 22.
    Yin, Y.L.: personal communication (July 2005)Google Scholar
  23. 23.
    Satoh, A., Inoue, T.: ASIC-Hardware-Focused Comparison for Hash Functions MD5, RIPEMD-160, and SHS. In: Proc. ITCC 2005 (International Conference on Information Technology), April 2005, vol. 1, pp. 532–537 (2005)Google Scholar
  24. 24.
    IBM Cu-11 Standard Cell / Gate Array ASIC, http://www-03.ibm.com/chips/products/asics/products/cu-11.html

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Akashi Satoh
    • 1
  1. 1.IBM ResearchTokyo Research Laboratory, IBM Japan, LtdKanagawaJapan

Personalised recommendations