On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study

Anupam Chattopadhyay, Mustafa Khairallah, Gaëtan Leurent, Zakaria Najm, Thomas Peyrin, Vesselin Velichkov

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

In February 2017, the SHA-1 hashing algorithm was practically broken using an identical-prefix collision attack implemented on a GPU cluster, and in January 2020 a chosen-prefix collision was first computed with practical implications on various security protocols. These advances opened the door for several research questions, such as the minimal cost to perform these attacks in practice. In particular, one may wonder what is the best technology for software/hardware cryptanalysis of such primitives. In this paper, we address some of these questions by studying the challenges and costs of building an ASIC cluster for performing attacks against a hash function. Our study takes into account different scenarios and includes two cryptanalytic strategies that can beused to find such collisions: a classical generic birthday search, and a state-of-the-art differential attack using neutral bits for SHA-1.

We show that for generic attacks, GPU and ASIC poses a serious practical threat to primitives with security level ∼ 64 bits, with rented GPU a good solution for a one-off attack, and ASICs more efficient if the attack has to be run a few times. ASICs also pose a non-negligible security risk for primitives with 80-bit security. For differential attacks, GPUs (purchased or rented) are often a very cost-effective choice, but ASIC provides an alternative for organizations that can afford the initial cost and look for a compact, energy-efficient, reusable solution. In the case of SHA-1, we show that an ASIC cluster costing a few millions would be able to generate chosen-prefix collisions in a day or even in a minute. This extends the attack surface to TLS and SSH, for which the chosen-prefix collision would need to be generated very quickly.
Original languageEnglish
Title of host publicationTopics in Cryptology – CT-RSA 2021
PublisherSpringer
Pages657 – 681
Number of pages25
ISBN (Electronic)978-3-030-75539-3
ISBN (Print)978-3-030-75538-6
DOIs
Publication statusPublished - 11 May 2021
EventThe Cryptographer's Track at the RSA Conference 2021 - Virtual, San Francisco, United States
Duration: 17 May 202120 May 2021
https://sites.google.com/site/ctrsa2021/

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume12704
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceThe Cryptographer's Track at the RSA Conference 2021
Abbreviated titleCT-RSA 2021
Country/TerritoryUnited States
CitySan Francisco
Period17/05/2120/05/21
Internet address

Keywords / Materials (for Non-textual outputs)

  • SHA-1
  • Cryptanalysis
  • ASIC
  • Birthday Problem
  • Hash Function

Fingerprint

Dive into the research topics of 'On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study'. Together they form a unique fingerprint.

Cite this