Collisions on SHA-0 in One Hour

At Crypto 2007, Joux and Peyrin showed that the boomerang attack, a classical tool in block cipher cryptanalysis, can also be very useful when analyzing hash functions. They applied their new theoretical results to SHA and provided new improvements for the cryptanalysis of this algorithm. In this paper, we concentrate on the case of SHA-0 . First, we show that the previous perturbation vectors used in all known attacks are not optimal and we provide a new 2-block one. The problem of the possible existence of message modifications for this vector is tackled by the utilization of auxiliary differentials from the boomerang attack, relatively simple to use. Finally, we are able to produce the best collision attack against SHA-0 so far, with a measured complexity of 233,6hash function calls. Finding one collision for SHA-0 takes us approximatively one hour of computation on an average PC.

[1]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[2]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[3]  Yu Sasaki,et al.  Improved Collision Search for SHA-0 , 2006, ASIACRYPT.

[4]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[5]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[6]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[7]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[8]  Bruce Schneier One-way hash functions , 1991 .

[9]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[10]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[11]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[12]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[13]  Kwangjo Kim,et al.  Advances in Cryptology — ASIACRYPT '96 , 1996, Lecture Notes in Computer Science.

[14]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[15]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[16]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[17]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[18]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[19]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[20]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[21]  Florian Mendel,et al.  Collisions for 70-Step SHA-1: On the Full Cost of Collision Search , 2007, Selected Areas in Cryptography.

[22]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[23]  Hans Dobbertin,et al.  Cryptanalysis of MD4 , 1996, Journal of Cryptology.

[24]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[25]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[26]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[27]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[28]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[29]  Thomas Peyrin,et al.  Hash Functions and the (Amplified) Boomerang Attack , 2007, CRYPTO.

[30]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[31]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[32]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[33]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[34]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.