Paper 2014/694

Malicious Hashing: Eve's Variant of SHA-1

Ange Albertini, Jean-Philippe Aumasson, Maria Eichlseder, Florian Mendel, and Martin Schläffer

Abstract

We present collisions for a version of SHA-1 with modified constants, where the colliding payloads are valid binary files. Examples are given of colliding executables, archives, and images. Our malicious SHA-1 instances have round constants that differ from the original ones in only 40 bits (on average). Modified versions of cryptographic standards are typically used on closed systems (e.g., in pay-TV, media and gaming platforms) and aim to differentiate cryptographic components across customers or services. Our proof-of-concept thus demonstrates the exploitability of custom SHA-1 versions for malicious purposes, such as the injection of user surveillance features. To encourage further research on such malicious hash functions, we propose definitions of malicious hash functions and of associated security notions.

Note: Extended version of SAC 2014 paper. Web: http://malicioussha1.github.io/

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. SAC 2014
Keywords
hash functionscryptanalysisSHA-1malicious cryptographybackdoors
Contact author(s)
maria eichlseder @ iaik tugraz at
History
2014-09-04: received
Short URL
https://ia.cr/2014/694
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/694,
      author = {Ange Albertini and Jean-Philippe Aumasson and Maria Eichlseder and Florian Mendel and Martin Schläffer},
      title = {Malicious Hashing: Eve's Variant of SHA-1},
      howpublished = {Cryptology ePrint Archive, Paper 2014/694},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/694}},
      url = {https://eprint.iacr.org/2014/694}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.