Joux found a collision for SHA-0 !

[Pascal Junod]

Hi !This has appeared on a french mailing-list related to crypto. The results of Joux improve on those of Chen and Biham which will be presented next week at CRYPTO'04.Enjoy !<quote>Thursday 12th, August 2004We are glad to announce that we found a collision for SHA-0.First message (2048 bits represented in hex):a766a602 b65cffe7 73bcf258 26b322b3 d01b1a97 2684ef53 3e3b4b7f 53fe376224c08e47 e959b2bc 3b519880 b9286568 247d110f 70f5c5e2 b4590ca3 f55f52feeffd4c8f e68de835 329e603c c51e7f02 545410d1 671d108d f5a4000d cf20a4394949d72c d14fbb03 45cf3a29 5dcda89f 998f8755 2c9a58b1 bdc38483 5e477185f96e68be bb0025d2 d2b69edf 21724198 f688b41d eb9b4913 fbe696b5 457ab39921e1d759 1f89de84 57e8613c 6c9e3b24 2879d4d8 783b2d9c a9935ea5 26a729c06edfc501 37e69330 be976012 cc5dfe1c 14c4c68b d1db3ecb 24438a59 a09b5db435563e0d 8bdf572f 77b53065 cef31f32 dc9dbaa0 4146261e 9994bd5c d0758e3dSecond message:a766a602 b65cffe7 73bcf258 26b322b1 d01b1ad7 2684ef51 be3b4b7f d3fe3762a4c08e45 e959b2fc 3b519880 39286528 a47d110d 70f5c5e0 34590ce3 755f52fc6ffd4c8d 668de875 329e603e 451e7f02 d45410d1 e71d108d f5a4000d cf20a4394949d72c d14fbb01 45cf3a69 5dcda89d 198f8755 ac9a58b1 3dc38481 5e4771c5796e68fe bb0025d0 52b69edd a17241d8 7688b41f 6b9b4911 7be696f5 c57ab399a1e1d719 9f89de86 57e8613c ec9e3b26 a879d498 783b2d9e 29935ea7 a6a729806edfc503 37e69330 3e976010 4c5dfe5c 14c4c689 51db3ecb a4438a59 209b5db435563e0d 8bdf572f 77b53065 cef31f30 dc9dbae0 4146261c 1994bd5c 50758e3dCommon hash value (can be found using for example "openssl sha file.bin"after creating a binary file containing any of the messages)c9f160777d4086fe8095fba58b7e20c228a4006bThis was done by using a generalization of the attack presented at Crypto'98by Chabaud and Joux. This generalization takes advantage of the iterativestructure of SHA-0. We also used the "neutral bit" technique of Biham andChen (To be presented at Crypto'2004).The computation was performed on TERA NOVA (a 256 Intel-Itanium2 systemdevelopped by BULL SA, installed in the CEA DAM open laboratoryTERA TECH). It required approximatively 80 000 CPU hours.The complexity of the attack was about 2^51.We would like to thank CEA DAM, CAPS Entreprise and BULL SA fortheir strong support to break this challenge.Antoine Joux(*) (DCSSI Crypto Lab)Patrick Carribault (Bull SA)Christophe Lemuet, William Jalby(Universit'e de Versailles/Saint-Quentin en Yvelines)(*) The theoretical cryptanalysis was developped by this author.The three others authors ported and optimized the attack on the TERA NOVAsupercomputer, using CAPS Entreprise tools.$hexdump fic1.bin0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b3220000010 1bd0 971a 8426 53ef 3b3e 7f4b fe53 62370000020 c024 478e 59e9 bcb2 513b 8098 28b9 68650000030 7d24 0f11 f570 e2c5 59b4 a30c 5ff5 fe520000040 fdef 8f4c 8de6 35e8 9e32 3c60 1ec5 027f0000050 5454 d110 1d67 8d10 a4f5 0d00 20cf 39a40000060 4949 2cd7 4fd1 03bb cf45 293a cd5d 9fa80000070 8f99 5587 9a2c b158 c3bd 8384 475e 85710000080 6ef9 be68 00bb d225 b6d2 df9e 7221 98410000090 88f6 1db4 9beb 1349 e6fb b596 7a45 99b300000a0 e121 59d7 891f 84de e857 3c61 9e6c 243b00000b0 7928 d8d4 3b78 9c2d 93a9 a55e a726 c02900000c0 df6e 01c5 e637 3093 97be 1260 5dcc 1cfe00000d0 c414 8bc6 dbd1 cb3e 4324 598a 9ba0 b45d00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 321f00000f0 9ddc a0ba 4641 1e26 9499 5cbd 75d0 3d8e$ hexdump fic2.bin0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b1220000010 1bd0 d71a 8426 51ef 3bbe 7f4b fed3 62370000020 c0a4 458e 59e9 fcb2 513b 8098 2839 28650000030 7da4 0d11 f570 e0c5 5934 e30c 5f75 fc520000040 fd6f 8d4c 8d66 75e8 9e32 3e60 1e45 027f0000050 54d4 d110 1de7 8d10 a4f5 0d00 20cf 39a40000060 4949 2cd7 4fd1 01bb cf45 693a cd5d 9da80000070 8f19 5587 9aac b158 c33d 8184 475e c5710000080 6e79 fe68 00bb d025 b652 dd9e 72a1 d8410000090 8876 1fb4 9b6b 1149 e67b f596 7ac5 99b300000a0 e1a1 19d7 899f 86de e857 3c61 9eec 263b00000b0 79a8 98d4 3b78 9e2d 9329 a75e a7a6 802900000c0 df6e 03c5 e637 3093 973e 1060 5d4c 5cfe00000d0 c414 89c6 db51 cb3e 43a4 598a 9b20 b45d00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 301f00000f0 9ddc e0ba 4641 1c26 9419 5cbd 7550 3d8e$ diff fic1.bin fic2.binBinary files fic1.bin and fic2.bin differ$ openssl sha fic1.binSHA(fic1.bin)= c9f160777d4086fe8095fba58b7e20c228a4006b$ openssl sha fic2.binSHA(fic2.bin)= c9f160777d4086fe8095fba58b7e20c228a4006b</quote>-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~* Pascal Junod <[EMAIL PROTECTED]>  http://crypto.junod.info      ** Security and Cryptography Laboratory (LASEC)                       ** Swiss Federal Institute of Technology (EPFL), CH-1015 Lausanne     *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~---------------------------------------------------------------------The Cryptography Mailing ListUnsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]