Differential Collisions in SHA-0

In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-0 with complexity 2, which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA. 1 Description of SHA 1.1 Historical Overview The Secure Hash Standard (SHS) [7] was issued by the National Institute of Standards and Technology in 1993. It was largely inspired from Rivest’s MD4 [5]. However, a certain number of basic blocks of this function were different from MD4 ones, but no explanation was given for the choices. Two years later, an addendum was made to the standard, slightly altering the function [8]. This change was claimed to correct a technical weakness in SHA but no justification was given. Yet, it was reported that a collision attack better than the birthday paradox had been found by the NSA. Independantly, several attacks on the original MD4 function, and its MD5 improvement [6] have been published [2,4]. However, these attacks couldn’t be applied to the Secure Hash Algorithm (neither in the first nor in the second version) because of the expansion used.