Home > SHA family
The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). The first member of the family, published in 1993, is officially called SHA. However, today, it is often unofficially called SHA-0 to avoid confusion with its successors. Two years later, SHA-1, the first successor to SHA, was published. Four more variants, have since been published with increased output ranges and a slightly different design: SHA-224, SHA-256, SHA-384, and SHA-512 (all are sometimes referred to as SHA-2).1 SHA-0 and SHA-1
The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180. This version is now often referred to as "SHA-0". It was withdrawn by NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as "SHA-1". This was done, according to NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, NSA did not provide any further explanation or identify what flaw was corrected. In 1998, an attack on SHA-0 was found which did not apply to SHA-1 — it is unknown whether this is the flaw discovered by NSA, but it does give some indication that the change improved the security. SHA-1 has been very closely examined by the public cryptographic community, and no attacks have been found. In 2004, however, a number of attacks were reported on cryptographic hash functions with a similar structure to SHA-1; this has raised questions about the long-term security of SHA-1.
SHA-0 and SHA-1 produce a 160-bit digest from a message with a maximum size of 264 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.
1.1 Cryptanalysis of SHA-0
At CRYPTO 98, two French researchers presented an attack on SHA-0 (Chabaud and Joux, 1998): collisions can be found with complexity 261; less than the 280 for an ideal hash function of the same size.
In 2004, Biham and Chen found near-collisions for SHA-0 — two messages that hash to nearly the same value; in this case, 142 out of the 160 bits are equal. They also found full collisions of SHA-0 reduced to 62 out of its 80 rounds.
On 12 August 2004, a collision for the full SHA-0 algorithm was announced by Joux, Carribault, Lemuet and Jalby. This was done by using a generalization of the Chabaud and Joux attack. Finding the collison had complexity 251 and took about 80,000 CPU hours on a supercomputer with 256 Itanium2In computing, the Itanium is an IA-64 microprocessor developed jointly by Hewlett-Packard and Intel. The first version, code named Merced shipped in June 2001. Manufactured in a 180 nm process, it was offered at speeds of 733 and 800MHz, with a choice of processors [1].
On 17 August 2004, at the Rump Session of CRYPTO 2004, preliminary results were announced by Wang, Feng, Lai, and Yu, that attack MD5, SHA-0 and other hash functionA hash function is a function that converts an input from a (typically) large domain into an output in a (typically) smaller range (the hash value often a subset of the integers). Hash functions vary in the domain of their inputs and the range of their ous. The complexity of their attack on SHA-0 is 240, so this is significantly better than the attack by Joux et al. See also MD5 security. A short summary of the Rump Session can be found at [2] and in discussions on sci.crypt, e.g. [3]. One of these may be the problem NSA noted, and which caused withdrawal of SHA-0 and release of SHA-1.
In the light of these results, some experts suggest that plans for the use of SHA-1 in new cryptosystems should be reconsidered. After the results were published, NIST announced that planned to phase out the use of SHA-1 by 2010 in favour of the SHA-2 variants [4].
