Freestart collisions do not directly imply a collision for the full hash function. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how GPUs can be used very efficiently for this kind of attack. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational and financial cost required for a SHA-1 collision computation. These projections are significantly lower than what was previously anticipated by the industry, due to the use of the more cost efficient GPUs compared to regular CPUs.
We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 quickly. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before concrete attacks such as signature forgeries appear in the near future.Category / Keywords: symmetric-key cryptography / SHA-1, hash function, cryptanalysis, freestart collision, GPU implementation Original Publication (in the same form): IACR-EUROCRYPT-2016 Date: received 8 Oct 2015, last revised 22 Feb 2016 Contact author: stevens at cwi nl Available format(s): PDF | BibTeX Citation Version: 20160222:111156 (All versions of this report) Short URL: ia.cr/2015/967 Discussion forum: Show discussion | Start new discussion