Abstract / Description of output
In February 2017, the SHA-1 hashing algorithm was practically broken using an identical-prefix collision attack implemented on a GPU cluster, and in January 2020 a chosen-prefix collision was first computed with practical implications on various security protocols. These advances opened the door for several research questions, such as the minimal cost to perform these attacks in practice. In particular, one may wonder what is the best technology for software/hardware cryptanalysis of such primitives. In this paper, we address some of these questions by studying the challenges and costs of building an ASIC cluster for performing attacks against a hash function. Our study takes into account different scenarios and includes two cryptanalytic strategies that can beused to find such collisions: a classical generic birthday search, and a state-of-the-art differential attack using neutral bits for SHA-1.
We show that for generic attacks, GPU and ASIC poses a serious practical threat to primitives with security level ∼ 64 bits, with rented GPU a good solution for a one-off attack, and ASICs more efficient if the attack has to be run a few times. ASICs also pose a non-negligible security risk for primitives with 80-bit security. For differential attacks, GPUs (purchased or rented) are often a very cost-effective choice, but ASIC provides an alternative for organizations that can afford the initial cost and look for a compact, energy-efficient, reusable solution. In the case of SHA-1, we show that an ASIC cluster costing a few millions would be able to generate chosen-prefix collisions in a day or even in a minute. This extends the attack surface to TLS and SSH, for which the chosen-prefix collision would need to be generated very quickly.
We show that for generic attacks, GPU and ASIC poses a serious practical threat to primitives with security level ∼ 64 bits, with rented GPU a good solution for a one-off attack, and ASICs more efficient if the attack has to be run a few times. ASICs also pose a non-negligible security risk for primitives with 80-bit security. For differential attacks, GPUs (purchased or rented) are often a very cost-effective choice, but ASIC provides an alternative for organizations that can afford the initial cost and look for a compact, energy-efficient, reusable solution. In the case of SHA-1, we show that an ASIC cluster costing a few millions would be able to generate chosen-prefix collisions in a day or even in a minute. This extends the attack surface to TLS and SSH, for which the chosen-prefix collision would need to be generated very quickly.
Original language | English |
---|---|
Title of host publication | Topics in Cryptology – CT-RSA 2021 |
Publisher | Springer |
Pages | 657 – 681 |
Number of pages | 25 |
ISBN (Electronic) | 978-3-030-75539-3 |
ISBN (Print) | 978-3-030-75538-6 |
DOIs | |
Publication status | Published - 11 May 2021 |
Event | The Cryptographer's Track at the RSA Conference 2021 - Virtual, San Francisco, United States Duration: 17 May 2021 → 20 May 2021 https://sites.google.com/site/ctrsa2021/ |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 12704 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | The Cryptographer's Track at the RSA Conference 2021 |
---|---|
Abbreviated title | CT-RSA 2021 |
Country/Territory | United States |
City | San Francisco |
Period | 17/05/21 → 20/05/21 |
Internet address |
Keywords / Materials (for Non-textual outputs)
- SHA-1
- Cryptanalysis
- ASIC
- Birthday Problem
- Hash Function