Freestart Collision for Full SHA-1

  • Marc StevensEmail author
  • Pierre Karpman
  • Thomas Peyrin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9665)


This article presents an explicit freestart colliding pair for SHA-1, i.e. a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps. Only 10 days of computation on a 64-GPU cluster were necessary to perform this attack, for a runtime cost equivalent to approximately \(2^{57.5}\) calls to the compression function of SHA-1 on GPU. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough of 2005. In particular, we reuse the recent work on 76-step SHA-1 of Karpman et al. from CRYPTO 2015 that introduced an efficient framework to implement (freestart) collisions on GPUs; we extend it by incorporating more sophisticated accelerating techniques such as boomerangs. We also rely on the results of Stevens from EUROCRYPT 2013 to obtain optimal attack conditions; using these techniques required further refinements for this work.

Freestart collisions do not directly imply a collision for the full hash function. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how GPUs can be used very efficiently for this kind of attack. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational and financial cost required for a SHA-1 collision computation. These projections are significantly lower than what was previously anticipated by the industry, due to the use of the more cost efficient GPUs compared to regular CPUs.

We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 quickly. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before concrete attacks such as signature forgeries appear in the near future.


SHA-1 Hash function Cryptanalysis Freestart collision GPU implementation 



We would like to express our gratitude to Orr Dunkelman for the use of his cluster with NVidia Tesla K10 cards. We also thank the anonymous reviewers for their helpful comments.


  1. 1.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer [5], pp. 36–57Google Scholar
  3. 3.
    Brassard, G. (ed.): Advances in Cryptology - CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  4. 4.
    Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Cramer, R. (ed.): Advances in Cryptology – EUROCRYPT 2005. LNCS, vol. 3494. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  6. 6.
    Damgård, I.B.: A design principle for hash functions. In: Brassard [3], pp. 416–427Google Scholar
  7. 7.
    De Cannière, C., Mendel, F., Rechberger, C.: Collisions for 70-Step SHA-1: on the full cost of collision search. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 56–73. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 194–203. Springer, Heidelberg (1992)Google Scholar
  10. 10.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  11. 11.
    Dobbertin, H.: Cryptanalysis of MD4. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 53–69. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  12. 12.
    Forum, C.: Ballot 152 - Issuance of SHA-1 certificates through 2016. Cabforum mailing list (2015).
  13. 13.
    Forum, C.: Ballot 152 - Issuance of SHA-1 certificates through 2016. Cabforum mailing list (2015).
  14. 14.
    Grechnikov, E.A.: Collisions for 72-step and 73-step SHA-1: Improvements in the Method of Characteristics. IACR Cryptology ePrint Archive 2010, 413 (2010)Google Scholar
  15. 15.
    Grechnikov, E.A., Adinetz, A.V.: Collision for 75-step SHA-1: Intensive Parallelization with GPU. IACR Cryptology ePrint Archive 2011, 641 (2011)Google Scholar
  16. 16.
    Hashclash project webpage.
  17. 17.
    Joux, A., Peyrin, T.: Hash functions and the (Amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Jutla, C.S., Patthak, A.C.: A matching lower bound on the minimum weight of sha-1 expansion code. Cryptology ePrint Archive, Report 2005/266 (2005)Google Scholar
  19. 19.
    Karpman, P., Peyrin, T., Stevens, M.: Practical free-start collision attacks on 76-step SHA-1. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015. LNCS, vol. 9215, pp. 623–642. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  20. 20.
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against sha-1. Cryptology ePrint Archive, Report 2008/469 (2008)Google Scholar
  21. 21.
    Manuel, S.: Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Cryptography 59(1–3), 247–263 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Matusiewicz, K., Pieprzyk, J.: Finding good differential patterns for attacks on SHA-1. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS, vol. 3969, pp. 164–177. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: The impact of carries on the complexity of collision attacks on SHA-1. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 278–292. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Merkle, R.C.: One way hash functions and DES. In: Brassard [3], pp. 428–446Google Scholar
  25. 25.
    Microsoft: SHA-1 Deprecation Update. Microsoft blog (2015)Google Scholar
  26. 26.
    Mozilla: Continuing to Phase Out SHA-1 Certificates. Mozilla Security Blog (2015)Google Scholar
  27. 27.
    National Institute of Standards and Technology: FIPS 180: Secure Hash Standard, May 1993Google Scholar
  28. 28.
    National Institute of Standards and Technology: FIPS 180–1: Secure Hash Standard, April 1995Google Scholar
  29. 29.
    National Institute of Standards and Technology: FIPS 180–2: Secure Hash Standard, August 2002Google Scholar
  30. 30.
    National Institute of Standards and Technology: Special Publication 800–57 - Recommendation for Key Management Part 1: General (Revision 3), July 2012Google Scholar
  31. 31.
    National Institute of Standards and Technology: FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, August 2015Google Scholar
  32. 32.
    Nvidia Corporation: Nvidia Geforce GTX 970 Specifications.
  33. 33.
    Pramstaller, N., Rechberger, C., Rijmen, V.: Exploiting Coding Theory for Collision Attacks on SHA-1. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 78–95. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  34. 34.
    Rijmen, V., Oswald, E.: Update on SHA-1. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 58–71. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  35. 35.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  36. 36.
    Rivest, R.L.: RFC 1321: the MD5 message-digest algorithm, April 1992Google Scholar
  37. 37.
    Schneier, B.: When will we see collisions for sha-1? Schneier on Security (2012)Google Scholar
  38. 38.
    Services, A.W: Amazon EC2 - Virtual Server Hosting., Retrieved Jan 2016
  39. 39.
    Shoup, V. (ed.): Advances in Cryptology – CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  40. 40.
    Survey of the ssl implementation of the most popular web sites. TIM Trustworthy Internet Movement (2015).
  41. 41.
    Stevens, M.: Attacks on Hash Functions and Applications. Ph.D. thesis, Leiden University, June 2012Google Scholar
  42. 42.
    Stevens, M.: Counter-cryptanalysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 129–146. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  43. 43.
    Stevens, M.: New collision attacks on SHA-1 based on optimal joint local-collision analysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 245–261. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  44. 44.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  45. 45.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  46. 46.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup [38], pp. 17–36Google Scholar
  47. 47.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer [5], pp. 19–35Google Scholar
  48. 48.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup [38], pp. 1–16Google Scholar
  49. 49.
    Yajima, J., Iwasaki, T., Naito, Y., Sasaki, Y., Shimoyama, T., Kunihiro, N., Ohta, K.: A strict evaluation method on the number of conditions for the SHA-1 collision search. In: Abe, M., Gligor, V.D. (eds.) ASIACCS, pp. 10–20. ACM (2008)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Centrum Wiskunde & InformaticaAmsterdamThe Netherlands
  2. 2.InriaSaclayFrance
  3. 3.École PolytechniquePalaiseauFrance
  4. 4.Nanyang Technological UniversitySingaporeSingapore

Personalised recommendations