New ASIC/FPGA Cost Estimates for SHA-1 Collisions

SHA-1 remains, till date, the most widely used hash function, in spite of several successful cryptanalytic attacks against it. These attacks, however, remain impractical due to high computation complexity and associated cost. We endeavor to do cost-time product estimation for an attack by the aid of application-specific hardware acceleration. This work proposes an Application-Specific Instruction-set Processor (ASIP), named Cracken. Cracken is aimed to efficiently realize near collision attack on SHA-1. The estimations of the physical attack complexity is done using 65nm standard CMOS technology and commercial FPGA devices. It is estimated, with post-layout simulations, that Stevens´ differential attack with an estimated complexity of 2^57.5, can be executed in 46 days using 4096 Cracken cores at a cost of €15m. Estimation for real collision with complexity 2⁶¹ is also done. Our cost-time estimates reveal that an FPGA-based attack is more efficient compared to ASIC. Previously reported SHA-1 attacks based on ASIC and cloud computing platforms are also compiled and benchmarked for reference.