Gröbner Basis Based Cryptanalysis of SHA-1

Recently, Wang proposed a new method to cryptanalyze SHA-1 and found collisions of 58-round SHA-1. However many details of Wang’s attack are still unpublished, especially, 1) How to find differential paths? 2) How to modify messages properly? For the first issue, some results have already been reported. In our article, we clarify the second issue and give a sophisticated method based on Gröbner basis techniques. We propose two algorithm based on the basic and an improved message modification techniques re­ spectively. The complexity of our algorithm to find a collision for 58-round SHA-1 based on the basic message modification is 2 message modifications and its implementation is equivalent to 2 SHA-1 computation experimentally, whereas Wang’s method needs 2 SHA-1 computation. The proposed improved message modification is applied to construct a more sophisticated algorithm to find a collision. The complexity to find a collision for 58-round SHA-1 based on this improved message modification technique is 2 message modifications, but our latest implementation is very slow, equivalent to 2 SHA-1 com­ putation experimentally. However we conjecture that our algorithm can be improved by techniques of error correcting code and Gröbner basis. By using our methods, we have found many collisions for 58-round SHA-1.