SHA1 collision demo / example

Question

This question is similar to this, but that one only references MD5 collision demos.

Are there any actual SHA1 collision pairs of arbitrary messages known so far ?

Answer 1

Google's Security Blog describes the first public, intentional SHA-1 collision here: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Direct links to 2 PDFs with the same SHA-1 (from the site dedicated to this finding):

• https://shattered.it/static/shattered-1.pdf
• https://shattered.it/static/shattered-2.pdf

Again, Marc Stevens was involved along with CWI Amsterdam and some Google employees, but this time for the full-round SHA-1 on two constructed PDFs.

Stevens also notes that due to SHA-1's Merkle-Damgård construction, both 2 PDFs can be extended (appended) with the same arbitrary data to produce longer versions hashing to the same digest.

Google will apparently publish the accompanying source code in 90 days from now (February 23, 2017), giving affected system suppliers some time to update their stuff.

It remains to be seen how software like git and service providers like GitHub will deal with this, especially in terms of backwards compatibility.

Linus Torvalds has issued a statement regarding git, noting that they will migrate to newer hashes in a compatible way, but that it will take time.

By the way, the "shattered" collision demo does not affect git (without modifications), because it uses SHA-1 like this:

sha1("blob " +  + "\0" + )

You can get the git hash using git hash-object , even if the file is not in git.

In related news, Subversion seems to be the first real victim of this proof, causing repository corruption, thereby making the mentioned files practical exploits.

-- PREVIOUSLY... --

A 76-round collision was found by Marc Stevens.

Cryptographer Jean-Philippe Aumasson, co-creator of BLAKE and SipHash and initiator of the Password Hashing Competition (PHC), guesses an SHA-1 collision on the full 80 rounds will have been found by 2020.

According to ongoing research by Marc Stevens et al. published in October 2015,

... we estimate the SHA-1 collision cost today (i.e., Fall 2015) between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few months. By contrast, security expert Bruce Schneier previously projected the SHA-1 collision cost to be ~173K$ by 2018.

They also describe a collision attack for SHA-1's compression function.