Second-Preimage Analysis of Reduced SHA-1

Christian Rechberger

    Research output: Contribution to journalConference articleResearchpeer-review


    Many applications using cryptographic hash functions do not require collision resistance, but some kind of preimage resistance. That's also the reason why the widely used SHA-1 continues to be recommended in all applications except digital signatures after 2010. Recent work on preimage and second preimage attacks on reduced SHA-1 succeeding up to 48 out of 80 steps (with results barely below the 2(n) time complexity of brute-force search) suggest that there is plenty of security margin left. In this paper we show that the security margin is actually somewhat lower, when only second preimages are the goal. We do this by giving two examples, using known differential properties of SHA-1. First, we reduce the complexity of a 2nd-preimage shortcut attack on 34-step SHA-1 from an impractically high complexity to practical complexity. Next, we show a property for up to 61 steps of the SHA-1 compression function that violates some variant of a natural second preimage resistance assumption, adding 13 steps to previously best known results.
    Original languageEnglish
    Book seriesLecture Notes in Computer Science
    Pages (from-to)104-116
    Publication statusPublished - 2010
    EventInformation Security and Privacy: 15th Australasian Conference - Sydney, Australia
    Duration: 5 Jul 20107 Jul 2010


    ConferenceInformation Security and Privacy


    • Hash function
    • Cryptanalysis
    • SHA-1
    • Preimage
    • Second preimage
    • Differential


    Dive into the research topics of 'Second-Preimage Analysis of Reduced SHA-1'. Together they form a unique fingerprint.

    Cite this