Notes on the Wang et al. $2^{63}$ SHA-1 Differential Path

Martin Cochran

Abstract

Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a $2^{63}$ attack by Wang et al., the details of the attack have not yet been vetted; this note does just that. Working from Adi Shamir's 2005 CRYPTO rump session presentation of Wang et al.'s work, this note corroborates and presents the differential path and associated conditions for the two-block attack. Although the error analysis for the advanced condition correction technique is not verified, a method is given which yields a two-block collision attack on SHA-1 requiring an estimated $2^{62}$ SHA-1 computations if the original error analysis by Wang et al. is correct.

Note: Added the second-block differential path and fixed several errors in the first-block differential path. Many thanks to Thomas Peyrin for finding the errors and sending me the second-block path.

Available format(s)
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Keywords
Cryptographic Hash FunctionsCryptanalysisSHA-1
Contact author(s)
History
2008-08-25: last of 3 revisions
See all versions
Short URL
https://ia.cr/2007/474

CC BY

BibTeX

@misc{cryptoeprint:2007/474,
author = {Martin Cochran},
title = {Notes on the Wang et al. $2^{63}$ SHA-1 Differential Path},
howpublished = {Cryptology ePrint Archive, Paper 2007/474},
year = {2007},
note = {\url{https://eprint.iacr.org/2007/474}},
url = {https://eprint.iacr.org/2007/474}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.