论文信息 - New ASIC/FPGA Cost Estimates for SHA-1 Collisions

New ASIC/FPGA Cost Estimates for SHA-1 Collisions

SHA-1 remains, till date, the most widely used hash function, in spite of several successful cryptanalytic attacks against it. These attacks, however, remain impractical due to high computation complexity and associated cost. We endeavor to do cost-time product estimation for an attack by the aid of application-specific hardware acceleration. This work proposes an Application-Specific Instruction-set Processor (ASIP), named Cracken. Cracken is aimed to efficiently realize near collision attack on SHA-1. The estimations of the physical attack complexity is done using 65nm standard CMOS technology and commercial FPGA devices. It is estimated, with post-layout simulations, that Stevens' differential attack with an estimated complexity of 257.5, can be executed in 46 days using 4096 Cracken cores at a cost of €15m. Estimation for real collision with complexity 261 is also done. Our cost-time estimates reveal that an FPGA-based attack is more efficient compared to ASIC. Previously reported SHA-1 attacks based on ASIC and cloud computing platforms are also compiled and benchmarked for reference.

[1] Xiaoyun Wang,et al. Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[2] Christophe De Cannière,et al. Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[3] Vincent Rijmen,et al. Update on SHA-1 , 2005, CT-RSA.

[4] Marc Stevens. Attacks on Hash Functions and Applications , 2012 .

[5] Florian Mendel,et al. Collisions for 70-Step SHA-1: On the Full Cost of Collision Search , 2007, Selected Areas in Cryptography.

[6] Antoine Joux,et al. Differential Collisions in SHA-0 , 1998, CRYPTO.

[7] Evgeny A. Grechnikov. Collisions for 72-step and 73-step SHA-1: Improvements in the Method of Characteristics , 2010, IACR Cryptol. ePrint Arch..

[8] Tim Güneysu,et al. Cryptanalysis with COPACOBANA , 2008, IEEE Transactions on Computers.

[9] Marc Stevens,et al. New Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision Analysis , 2013, EUROCRYPT.

[10] Akashi Satoh,et al. Hardware Architecture and Cost Estimates for Breaking SHA-1 , 2005, ISC.

[11] Andrew V. Adinetz,et al. Building a Collision for 75-Round Reduced SHA-1 Using GPU Clusters , 2012, Euro-Par.