Paper 2007/474

Notes on the Wang et al. $2^{63}$ SHA-1 Differential Path

Martin Cochran


Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a $2^{63}$ attack by Wang et al., the details of the attack have not yet been vetted; this note does just that. Working from Adi Shamir's 2005 CRYPTO rump session presentation of Wang et al.'s work, this note corroborates and presents the differential path and associated conditions for the two-block attack. Although the error analysis for the advanced condition correction technique is not verified, a method is given which yields a two-block collision attack on SHA-1 requiring an estimated $2^{62}$ SHA-1 computations if the original error analysis by Wang et al. is correct.

Note: Added the second-block differential path and fixed several errors in the first-block differential path. Many thanks to Thomas Peyrin for finding the errors and sending me the second-block path.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Cryptographic Hash FunctionsCryptanalysisSHA-1
Contact author(s)
Martin Cochran @ colorado edu
2008-08-25: last of 3 revisions
2007-12-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Martin Cochran},
      title = {Notes on the Wang et al. $2^{63}$ {SHA}-1 Differential Path},
      howpublished = {Cryptology ePrint Archive, Paper 2007/474},
      year = {2007},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.