New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis

  • Marc Stevens
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)


The main contributions of this paper are two-fold.

Firstly, we present a novel direction in the cryptanalysis of the cryptographic hash function SHA-1. Our work builds on previous cryptanalytic efforts on SHA-1 based on combinations of local collisions. Due to dependencies, previous approaches used heuristic corrections when combining the success probabilities and message conditions of the individual local collisions. Although this leads to success probabilities that are seemingly sufficient for feasible collision attacks, this approach most often does not lead to the maximum success probability possible as desired. We introduce novel techniques that enable us to determine the theoretical maximum success probability for a given set of (dependent) local collisions, as well as the smallest set of message conditions that attains this probability. We apply our new techniques and present an implemented open-source near-collision attack on SHA-1 with a complexity equivalent to 257.5 SHA-1 compressions.

Secondly, we present an identical-prefix collision attack and a chosen-prefix collision attack on SHA-1 with complexities equivalent to approximately 261 and 277.1 SHA-1 compressions, respectively.


  1. [BCJ+05]
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. [Che11]
    Chen, R.: New Techniques for Cryptanalysis of Cryptographic Hash Functions, Ph.D. thesis, Technion (August 2011)Google Scholar
  3. [CJ98]
    Chabaud, F., Joux, A.: Differential Collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [CMR07]
    De Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-Step SHA-1: On the Full Cost of Collision Search. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56–73. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. [Coc07]
    Cochran, M.: Notes on the Wang et al. 263 SHA-1 Differential Path, Cryptology ePrint Archive, Report 2007/474 (2007)Google Scholar
  6. [CR06]
    De Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General Results and Applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. [GA11]
    Grechnikov, E.A., Adinetz, A.V.: Collision for 75-step SHA-1: Intensive Parallelization with GPU, Cryptology ePrint Archive, Report 2011/641 (2011)Google Scholar
  8. [Gre10]
    Grechnikov, E.A.: Collisions for 72-step and 73-step SHA-1: Improvements in the Method of Characteristics, Cryptology ePrint Archive, Report 2010/413 (2010)Google Scholar
  9. [Man11]
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Cryptography 59(1-3), 247–263 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  10. [MHP09]
    McDonald, C., Hawkes, P., Pieprzyk, J.: Differential Path for SHA-1 with complexity O(252), Cryptology ePrint Archive, Report 2009/259 (2009)Google Scholar
  11. [MPRR06]
    Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: The Impact of Carries on the Complexity of Collision Attacks on SHA-1. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 278–292. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. [MRR07]
    Mendel, F., Rechberger, C., Rijmen, V.: Update on SHA-1, Rump session of CRYPTO 2007 (2007)Google Scholar
  13. [PCTH11]
    Polk, T., Chen, L., Turner, S., Hoffman, P.: Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms, Internet Request for Comments, RFC 6194 (March 2011)Google Scholar
  14. [Ste12a]
    Stevens, M.: Attacks on Hash Functions and Applications, Ph.D. thesis, Leiden University (June 2012)Google Scholar
  15. [Ste12b]
    Stevens, M.: SHA-1 near collision attack source code (2012),
  16. [vOW99]
    van Oorschot, P.C., Wiener, M.J.: Parallel Collision Search with Cryptanalytic Applications. J. Cryptology 12(1), 1–28 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  17. [WFLY04]
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive, Report 2004/199 (2004)Google Scholar
  18. [WY05]
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. [WYY05a]
    Wang, X., Yao, A.C., Yao, F.: Cryptanalysis on SHA-1, NIST Cryptographic Hash Workshop Presentation (2005)Google Scholar
  20. [WYY05b]
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. [WYY05c]
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Marc Stevens
    • 1
  1. 1.CWIAmsterdamThe Netherlands

Personalised recommendations