Australian researchers have described a new and faster way of provoking collisions of the SHA-1 hash algorithm. With their method, a collision can be found using only 252 attempts. This makes practical attacks feasible and could have an impact on the medium-term use of the algorithm in digital signatures.
SHA-1 is used to verify data authenticity in many applications. To reduce the complexity of the collision process, the researchers combined a boomerang attack with the search for differential paths.
The search for a successor to SHA-1 began in 2005. Algorithms of the SHA-2 family (SHA-224, SHA-256, SHA-384 and SHA-512) were among the suggestions, but they are essentially based on the same algorithm as SHA-1, only requiring longer hash values. As a result, they are probably vulnerable to the same types of attack.
The US National Institute of Standards and Technology (NIST) therefore launched a competition to develop a new hash algorithm. Submissions for the competition closed on the 31st of October 2008 and 51 contenders from 50 developer teams have been entered. The winning entry will be called SHA-3 and become the official security standard in 2012.