Is SHA1 better than MD5 only because it generates a hash of 160 bits?

  • It is well known that SHA1 is recommended more than MD5 for hashing since MD5 is practically broken as lot of collisions have been found. With the birthday attack, it is possible to get a collision in MD5 with 264 complexity and with 280 complexity in SHA1

    It is known that there are algorithms that are able to crack both of these in far lesser time than it takes for a birthday attack.

    My question is: is MD5 considered insecure only for this reason that it is easy to produce collisions? Because looking at both, producing collisions in SHA1 is not that difficult either. So what makes SHA1 better?

    Update 02/2017 - https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

    I was under the impression that it is possible to determine a collision given 2^80 possible inputs. Also, [link]http://eprint.iacr.org/2008/469.pdf is a theoretical attack on SHA1. Correct me if am wrong.

    There are theoretical attacks. But nobody managed to pull off an actual collision yet. Still I certainly wouldn't trust SHA-1's collision resistance, since it's likely the next practical attack against a popular crypto primitive we'll see. But it hasn't happened yet (at least publicly).

  • Tom Leek

    Tom Leek Correct answer

    8 years ago

    Producing SHA-1 collisions is not that easy. It seems reasonable that the attack with has been described on SHA-1 really works with an average cost of 261, much faster than the generic birthday attack (which is in 280), but still quite difficult (doable, but expensive).

    That being said, we do not really know what makes hash functions resistant (see for instance this answer for a detailed discussion). With a lot of hand-waving, I could claim that SHA-1 is more robust than MD5 because it has more rounds and because the derivation of the 80 message words in SHA-1 is much more "mixing" than that of MD5 (in particular the 1-bit rotation, which, by the way, is the only difference between SHA-0 and SHA-1, and SHA-0 collisions have been produced).

    For more of the same, look at SHA-256, which is much more "massive" (many more operations than SHA-1, yet with a similar structure), and currently unbroken. It is as if there was a minimal amount of operations for a hash function to be secure, for a given structure (but there I am moving my hands at stupendous speed, so don't believe that I said anything really scientific or profound).

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM