# Information Security and Cryptography Research Group

## New Preimage Attacks Against Reduced SHA-1

### Simon Knellwolf and Dmitry Khovratovich

CRYPTO, Lecture Notes in Computer Science, Springer, vol. 7417, pp. 367-383, 2012.

This paper shows preimage attacks against reduced SHA-1 up to 57 steps. The best previous attack has been presented at CRYPTO 2009 and was for 48 steps finding a two-block preimage with incorrect padding at the cost of $2^{159.3}$ evaluations of the compression function. For the same variant our attacks find a one-block preimage at 2150.6 and a correctly padded two-block preimage at $2^{151.1}$ evaluations of the compression function. The improved results come out of a differential view on the meet-in-the-middle technique originally developed by Aoki and Sasaki. The new framework closely relates meet-in-the-middle attacks to differential cryptanalysis which turns out to be particularly useful for hash functions with linear message expansion and weak diffusion properties.

## BibTeX Citation

@inproceedings{KneKho12,
author       = {Simon Knellwolf and Dmitry Khovratovich},
title        = {New Preimage Attacks Against Reduced SHA-1},
editor       = {Reihaneh Safavi-Naini and Ran Canetti},
booktitle    = {CRYPTO},
pages        = {367-383},
series       = {Lecture Notes in Computer Science},
volume       = {7417},
year         = {2012},
publisher    = {Springer},
}