SHA1 collision demo / example

Question

This question is similar to this, but that one only references MD5 collision demos.

Are there any actual SHA1 collision pairs of arbitrary messages known so far ?

Answer 1

Not exactly SHA1 collision, but there are collisions of PBKDF2-HMAC-SHA1 message digest authentication code.

For instance, PBKDF2(SHA1, password, salt, iterations, dkLen) of the two passwords plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd and eBkXQTfuBqp\'cTcar&g*, salt hunter2, 4 iterations, provide the same value (35d1c8f259129dc800ec8e073bb68f995424619c for dkLen 20).

In fact, it is trivial to find such collisions for strings longer than 64 bytes.

Another collision example (Python3):

>>> import hashlib, binascii
>>> def pbkdf2sha1hex(x, salt, iters):
...     h = hashlib.pbkdf2_hmac('sha1', x, salt, iters)
...     return binascii.hexlify(h)
>>> pbkdf2sha1hex(b'http://stackoverflow.com/questions/3475648/sha1-collision-demo-example/31136714', b'NaCl', 1000000)
b'20177527e04e05d5e7b448c1ab2b872f86831d0b'
>>> pbkdf2sha1hex(b'\x8c\xbf8\x94\xbc\xf4\xbe\x90xT,r\xbc\x03\xd1\xed\xd9\xea\xfb\x9f', b'NaCl', 1000000)
b'20177527e04e05d5e7b448c1ab2b872f86831d0b'

Please note that the same "problem" applies to PBKDF2-HMAC-SHA256 as well:

>>> h1 = pbkdf2_hmac('sha256', b'http://stackoverflow.com/questions/3475648/sha1-collision-demo-example/31136714', b'NaCl', 1000000)
b"\xcf\xc5\xee\x15=\r\x0b\x0e\x89r\x9b\xe1\xb7'+\xa4'o\x98kn++u\x12\xec\xd9\xec\xea\xebL\xb7"
>>> h2 = pbkdf2_hmac('sha256', b'.\x83\xb0D\x93D\x9f\x162\xf3\xd4x\xb6\x1a\x9f-\x1f\xdb\xdc\xa4\x8f\xb3\x95Y5\xea\x99*\x97\x00V\x81', b'NaCl', 1000000)
>>> h1 == h2
True

It all happens, because from the PBKDF2 definition, for long strings, it holds:
PBKDF2(hashalgo, s, ...) == PBKDF2(hashalgo, hashalgo(s), ...).

More info e.g. here: https://mathiasbynens.be/notes/pbkdf2-hmac