Algebraic Cryptanalysis of 58-Round SHA-1

  • Makoto Sugita
  • Mitsuru Kawazoe
  • Ludovic Perret
  • Hideki Imai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4593)


In 2004, a new attack against SHA-1 has been proposed by a team leaded by Wang [15]. The aim of this article is to sophisticate and improve Wang’s attack by using algebraic techniques. We introduce new notions, namely semi-neutral bit and adjuster and propose then an improved message modification technique based on algebraic techniques. In the case of the 58-round SHA-1, the experimental complexity of our improved attack is 231 SHA-1 computations, whereas Wang’s method needs 234 SHA-1 computations. We have found many new collisions for the 58-round SHA-1. We also study the complexity of our attack for the full SHA-1.


SHA-1 Gröbner basis differential attack 


  1. 1.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and Reduced SHA-1. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)Google Scholar
  2. 2.
    Biham, E., Chen, R.: Near-Collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Hui, L.C.K., Wang, X., Chow, K.P., Tsang, W.W., Chong, C.F., Chan, H.W.: The Differential Analysis of Skipjack Variants from the first Round. In: Advance in Cryptography – CHINACRYPT 2002 Science Publishing House (2002)Google Scholar
  7. 7.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Pramstaller, N., Rechberger, C., Rijmen, V.: Exploiting Coding Theory for Collision Attacks on SHA-1. In: Smart, N.P. (ed.) Cryptography and Coding. LNCS, vol. 3796, pp. 78–95. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Sugita, M., Kawazoe, M., Imai, H.: Gröbner Basis Based Cryptanalysis of SHA-1. IACR Cryptology ePrint Archive 2006/098 (2006),
  10. 10.
    Sugita, M., Kawazoe, M., Imai, H.: Gröbner Basis Based Cryptanalysis of SHA-1. In: Proc. of second NIST Cryptographic HASH workshop (2006)Google Scholar
  11. 11.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Wang, X., Feng, D., Yu, X.: An Attack on Hash Function HAVAL-128. Science in China Series 48, 545–556 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Wang, X., Yao, A.C., Yao, F.: Cryptanalysis on SHA-1. In: Proc. of NIST Cryptographic Hash Workshop (2005)Google Scholar
  14. 14.
    Wang, X., Yin, Y.L., Yu, H.: New Collision Search for SHA-1. In: Rump Session of CRYPTO (2005)Google Scholar
  15. 15.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Wang, X.: The Collision attack on SHA-0 (1997)Google Scholar
  19. 19.
    Wang, X.: The Improved Collision attack on SHA-0 (1998)Google Scholar
  20. 20.
    Wang, X.: Collisions for Some Hash Functions MD4, MD5, HAVAL-128, RIPEMD. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, Springer, Heidelberg (2004)Google Scholar
  21. 21.
    Wang, X.: Cryptanalysis of Hash Functions and Potential Dangers. In: RSA Conference 2006, San Jose, USA (2006)Google Scholar
  22. 22.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. IACR Cryptology ePrint Archive 2006/105 (2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Makoto Sugita
    • 1
  • Mitsuru Kawazoe
    • 2
  • Ludovic Perret
    • 3
  • Hideki Imai
    • 4
  1. 1.IT Security Center, Information-technology Promotion Agency, Japan, 2-28-8 Honkomagome, Bunkyo-ku Tokyo, 113-6591Japan
  2. 2.Faculty of Liberal Arts and Sciences, Osaka Prefecture University, 1-1 Gakuen-cho Naka-ku Sakai Osaka 599-8531Japan
  3. 3.SPIRAL/SALSA, Site Passy-Kennedy, LIP6 – Paris 6 University, 104 avenue du Président Kennedy, 75016 ParisFrance
  4. 4.National Institute of Advanced Industrial Science and Technology (AIST), Akihabara Dai Bldg., 1-18-13 Sotokanda, Chiyoda-ku, Tokyo 101-0021, Japan, Department of Electrical, Electronic and Communication Engineering, Faculty of Science and Engineering, Chuo University, 1-13-27 Kasuga Bunkyo-ku, Tokyo 112-8551Japan

Personalised recommendations