Cryptology ePrint Archive: Report 2014/694
Malicious Hashing: Eve's Variant of SHA-1
Ange Albertini and Jean-Philippe Aumasson and Maria Eichlseder and Florian Mendel and Martin Schläffer
Abstract: We present collisions for a version of SHA-1 with modified constants, where the colliding payloads are valid binary files. Examples are given of colliding executables, archives, and images. Our malicious SHA-1 instances have round constants that differ from the original ones in only 40 bits (on average). Modified versions of cryptographic standards are typically used on closed systems (e.g., in pay-TV, media and gaming platforms) and aim to differentiate cryptographic components across customers or services. Our proof-of-concept thus demonstrates the exploitability of custom SHA-1 versions for malicious purposes, such as the injection of user surveillance features. To encourage further research on such malicious hash functions, we propose definitions of malicious hash functions and of associated security notions.
Category / Keywords: secret-key cryptography / hash functions, cryptanalysis, SHA-1, malicious cryptography, backdoors
Original Publication (with minor differences): SAC 2014
Date: received 3 Sep 2014
Contact author: maria eichlseder at iaik tugraz at
Available format(s): PDF | BibTeX Citation
Note: Extended version of SAC 2014 paper.
Version: 20140904:061247 (All versions of this report)
Short URL: ia.cr/2014/694
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]