SHA-0

The SHA-0 is the ancestor of SHA-1. The SHA-0 was quickly put on side by NIST for safety reasons insufficient. The SHA-0 was legitimately suspected of containing faults which would make it possible to lead quickly to collisions (two different documents which generate same the condensate ). Vis-a-vis the controversy raised by the operation of the SHA-0 and certain reports which one allots to NSA, the SHA-0 was seen modified shortly after its exit (1993) and complexed to obtain the SHA-1 (1995). A complete collision on the SHA-0 was discovered by Antoine Joux and Al (August 12th, 2004). Another attack suggested by Eli Biham made it possible to obtain Pseudo-collision S on the near total of the bits.

Advertisement of the collision

August 12th, 2004, Antoine Joux and the members of his team announce to have found a collision on SHA-0. They give more precise English information about the attack:

Thursday 12th, August 2004

We are glad to announce that we found has collision for SHA-0.

First message (2048 bits represented in hex): a766a602 b65cffe7 73bcf258 26b322b3 d01b1a97 2684ef53 3e3b4b7f 53fe3762 24c08e47 e959b2bc 3b519880 b9286568 247d110f 70f5c5e2 b4590ca3 f55f52fe effd4c8f e68de835 329e603c c51e7f02 545410d1 671d108d f5a4000d cf20a439 4949d72c d14fbb03 45cf3a29 5dcda89f 998f8755 2c9a58b1 bdc38483 5e477185 f96e68be bb0025d2 d2b69edf 21724198 f688b41d eb9b4913 fbe696b5 457ab399 21e1d759 1f89de84 57e8613c 6c9e3b24 2879d4d8 783 B 2 D 9 C.A. 9935ea5 26a729c0 6edfc501 37e69330 be976012 cc5dfe1c 14c4c68b d1db3ecb 24438a59 a09b5db4 35563e0d 8bdf572f 77b53065 cef31f32 dc9dbaa0 4146261e 9994bd 5c d0758e3d

Second message: a766a602 b65cffe7 73bcf258 26b322b1 d01b1ad7 2684ef51 be3b4b7f d3fe3762 a4c08e45 e959b2fc 3b519880 39286528 a47d110d 70f5c5e0 34590ce3 755f52fc 6ffd4c8d 668de875 329e603e 451e7f02 d45410d1 e71d108d f5a4000d cf20a439 4949d72c d14fbb01 45cf3a69 5dcda89d 198f8755 ac9a58b1 3dc38481 5e4771c5 796e68fe bb0025d0 52b69edd a17241d8 7688b41f 6b9b4911 7be696f5 c57ab399 a1e1d719 9f89de86 57e8613c ec9e3b26 a879d498 783b2d9e 29935ea7 a6a72980 6edfc503 37e69330 3e976010 4c5dfe5c 14c4c689 51db3ecb a4438a59 209b5db4 35563e0d 8bdf572f 77b53065 cef31f30 dc9dbae0 4146261c 1994bd 5c 50758e3d

Common hash been worth (edge Be found using for example " openssl sha file.bin" after creating has binary file containing any off the messages) c9f160777d4086fe8095fba58b7e20c228a4006b

This was gives by using has generalization off the attack presented At Crypto' 98 by Chabaud and Joux. This generalization takes iterative advantage off the structure off SHA-0. We also used the "neutral bit" technique off Biham and Chen (To Be presented At Crypto' 2004).

The computation was performed one TERA NOVA (has 256 INTEL-Itanium2 system developped by BULL SA, installed in the ECA open PREJUDICE laboratory TERA TECH). It required approximatively 80.000 CPU hours. The complexity off the attack was butt 2^51.

We would like to thank ECA PREJUDICE, CAPES Undertaken and BULL SA for to their strong support to station-wagon this challenge.

Antoine Joux (*) (DCSSI Crypto Lab) Patrick Carribault (Bull SA) Christophe Lemuet, William Jalby (Universit' E of Versailles/Saint-Quentin in Yvelines)

(*) The theoretical cryptanalysis was developped by this author. The three others authors ported and optimized the attack one the TERA NOVA supercomputer, using CAPES Undertaken tools.

$hexdump fic1.bin 0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b322 0000010 1bd 0 971a 8426 53ef 3b3e 7f4b fe53 6237 0000020 c024 478e 59e9 bcb2 513b 8098 28b9 6865 0000030 7d24 0f11 f570 e2c5 59b4 a30c 5ff5 fe52 0000040 fdef 8f4c 8de6 35e8 9e32 3c60 1ec5 027f 0000050 5454 d110 1d67 8d10 a4f5 0d00 20cf 39a4 0000060 4949 2cd7 4fd1 03bb cf45 293a cd5d 9fa8 0000070 8f99 5587 9a2c b158 C 3bd 8384 475e 8571 0000080 6ef9 be68 00bb d225 b6d2 df9e 7221 9841 0000090 88f6 1db4 9beb 1349 e6fb b596 7a45 99b3 00000a0 e121 59d7 891f 84de e857 3c61 9e6c 243b 00000b0 7928 d8d4 3b78 9c2d 93a9 a55e a726 c029 00000c0 df6e 01c5 e637 3093 97be 1260 5dcc 1cfe 00000d0 c414 8bc6 dbd1 cb3e 4324 598a 9ba0 b45d 00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 321f 00000f0 9ddc a0ba 4641 1e26 9499 5cbd 75d0 3d8e

$ hexdump fic2.bin 0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b122 0000010 1bd 0 d71a 8426 51ef 3bbe 7f4b fed3 6237 0000020 c0a4 458e 59e9 fcb2 513b 8098 2839 2865 0000030 7da4 0d11 f570 e0c5 5934 e30c 5f75 fc52 0000040 fd6f 8d4c 8d66 75e8 9e32 3e60 1e45 027f 0000050 54d4 d110 1de7 8d10 a4f5 0d00 20cf 39a4 0000060 4949 2cd7 4fd1 01bb cf45 693a cd5d 9da8 0000070 8f19 5587 9aac b158 c33d 8184 475e c571 0000080 6e79 fe68 00bb d025 b652 dd9e 72a1 d841 0000090 8876 1fb4 9b6b 1149 e67b f596 7ac5 99b3 00000a0 e1a1 19d7 899f 86de e857 3c61 9eec 263b 00000b0 79a8 98d4 3b78 9e2d 9329 a75e a7a6 8029 00000c0 df6e 03c5 e637 3093 973e 1060 5d4c 5cfe 00000d0 c414 89c6 db51 cb3e 43a4 598a 9b20 b45d 00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 301f 00000f0 9ddc e0ba 4641 1c26 9419 5cbd 7550 3d8e

$ diff fic1.bin fic2.bin Binary files fic1.bin and fic2.bin differ

$ openssl sha fic1.bin SHA (fic1.bin) = c9f160777d4086fe8095fba58b7e20c228a4006b

$ openssl sha fic2.bin SHA (fic2.bin) = c9f160777d4086fe8095fba58b7e20c228a4006b

See too

MD5
RIPEMD

Random links: