Android devices don't have hard disks, don't have virtual memory, don't have much RAM, don't have have very powerful CPU or GPUs, don't have sophisticated support for input devices or controllers.
Did you miss the part where the article said CodeWeavers got Steam running on Remix OS [jide.com], a version of Android that can run on regular PCs, which, if you so desire can be cnfigured with hard disks, gigabytes of RAM, top-of-the-line i7 CPUs, GPUs, real keyboards, mice, etc?
Windows applications & games also have dependencies on runtimes like DirectX, .NET, COM / ActiveX controls, proprietary fonts [even Arial is proprietary] etc. so it's not enough to fool the game but also satisfy these dependencies. And many games would use copy protection libraries that require drivers or background processes to function.
Wine provides DirectX, .NET, COM, ActiveX and event lets you install the freely downloadable Arial fonts. In fact CrossOver, which is based on Wine, already runs many of the games [codeweavers.com] you say it cannot run.
But then again, what's to stop Valve just throwing streaming onto their existing Steam app for Android?
In cryptography, SHA-1 [Secure Hash Algorithm 1] is a hash function which takes an input and produces a 160-bit [20-byte] hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. The algorithm has been cryptographically broken but is still widely used.
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013, and declared that it should be phased out by 2030. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible and instead use SHA-2 or SHA-3. Replacing SHA-1 is urgent where it is used for digital signatures.
All major web browser vendors ceased acceptance of SHA-1 SSL certificates in 2017. In February 2017, CWI Amsterdam and Google announced they had performed a collision attack against SHA-1, publishing two dissimilar PDF files which produced the same SHA-1 hash. However, SHA-1 is still secure for HMAC.
Microsoft has discontinued SHA-1 code signing support for Windows Update on August 7, 2020.
Development[edit]
big endian.
_Within each word, the most significant byte is stored in the leftmost byte position_
break chunk into sixteen 32-bit big-endian words w[i], 0 ≤ i ≤ 15
_Message schedule: extend the sixteen 32-bit words into eighty 32-bit words:_
**for** i **from** 16 to 79
_Note 3: SHA-0 differs by not having this leftrotate._
w[i] = [w[i-3] **xor** w[i-8] **xor** w[i-14] **xor** w[i-16]] **[leftrotate][//en.wikipedia.org/wiki/Circular%5Fshift]** 1
_Initialize hash value for this chunk:_
a = h0
b = h1
c = h2
d = h3
e = h4
_Main loop:_[[3]][//en.wikipedia.org/wiki/SHA-1
cite%5Fnote-55]**for** i **from** 0 **to** 79
**if** 0 ≤ i ≤ 19 **then**
f = [b **and** c] **or** [[**not** b] **and** d]
k = 0x5A827999
**else if** 20 ≤ i ≤ 39
f = b **xor** c **xor** d
k = 0x6ED9EBA1
**else if** 40 ≤ i ≤ 59
f = [b **and** c] **or** [b **and** d] **or** [c **and** d]
k = 0x8F1BBCDC
**else if** 60 ≤ i ≤ 79
f = b **xor** c **xor** d
k = 0xCA62C1D6
temp = [a **leftrotate** 5] + f + e + k + w[i]
e = d
d = c
c = b **leftrotate** 30
b = a
a = temp
_Add this chunk's hash to result so far:_
h0 = h0 + a
h1 = h1 + b
h2 = h2 + c
h3 = h3 + d
h4 = h4 + e
Produce the final hash value [big-endian] as a 160-bit number:
**for** i **from** 0 **to** 79
**if** 0 ≤ i ≤ 19 **then**
f = [b **and** c] **or** [[**not** b] **and** d]
k = 0x5A827999
**else if** 20 ≤ i ≤ 39
f = b **xor** c **xor** d
k = 0x6ED9EBA1
**else if** 40 ≤ i ≤ 59
f = [b **and** c] **or** [b **and** d] **or** [c **and** d]
k = 0x8F1BBCDC
**else if** 60 ≤ i ≤ 79
f = b **xor** c **xor** d
k = 0xCA62C1D6
temp = [a **leftrotate** 5] + f + e + k + w[i]
e = d
d = c
c = b **leftrotate** 30
b = a
a = temp
_Add this chunk's hash to result so far:_
h0 = h0 + a
h1 = h1 + b
h2 = h2 + c
h3 = h3 + d
h4 = h4 + e
hh = [h0 leftshift 128] or [h1 leftshift 96] or [h2 leftshift 64] or [h3 leftshift 32] or h4
The number
Bitwise choice between c and d_, controlled by_ b_. [0 ≤ i ≤ 19]: f = d xor [b and [c xor d]] [alternative 1] [0 ≤ i ≤ 19]: f = [b and c] or [[not b] and d] [alternative 2] [0 ≤ i ≤ 19]: f = [b and c] xor [[not b] and d] [alternative 3] [0 ≤ i ≤ 19]: f = vec_sel[d, c, b] [alternative 4] [premo08] _Bitwise majority function. [40 ≤ i ≤ 59]: f = [b and c] or [d and [b or c]] [alternative 1] [40 ≤ i ≤ 59]: f = [b and c] or [d and [b xor c]] [alternative 2] [40 ≤ i ≤ 59]: f = [b and c] xor [d and [b xor c]] [alternative 3] [40 ≤ i ≤ 59]: f = [b and c] xor [b and d] xor [c and d] [alternative 4] [40 ≤ i ≤ 59]: f = vec_sel[c, b, c xor d] [alternative 5]
5 is the message digest, which can be written in hexadecimal [base 16].
The chosen constant values used in the algorithm were assumed to be nothing up my sleeve numbers:
- The four round constants Bitwise choice between c and d_, controlled by_ b_. [0 ≤ i ≤ 19]: f = d xor [b and [c xor d]] [alternative 1] [0 ≤ i ≤ 19]: f = [b and c] or [[not b] and d] [alternative 2] [0 ≤ i ≤ 19]: f = [b and c] xor [[not b] and d] [alternative 3] [0 ≤ i ≤ 19]: f = vec_sel[d, c, b] [alternative 4] [premo08] _Bitwise majority function. [40 ≤ i ≤ 59]: f = [b and c] or [d and [b or c]] [alternative 1] [40 ≤ i ≤ 59]: f = [b and c] or [d and [b xor c]] [alternative 2] [40 ≤ i ≤ 59]: f = [b and c] xor [d and [b xor c]] [alternative 3] [40 ≤ i ≤ 59]: f = [b and c] xor [b and d] xor [c and d] [alternative 4] [40 ≤ i ≤ 59]: f = vec_sel[c, b, c xor d] [alternative 5] 6 are 230 times the square roots of 2, 3, 5 and 10. However they were incorrectly rounded to the nearest integer instead of being rounded to the nearest odd integer, with equilibrated proportions of zero and one bits. As well, choosing the square root of 10 [which is not a prime] made it a common factor for the two other chosen square roots of primes 2 and 5, with possibly usable arithmetic properties across successive rounds, reducing the strength of the algorithm against finding collisions on some bits.
- The first four starting values for
Bitwise choice between c and d_, controlled by_ b_.
[0 ≤ i ≤ 19]: f = d xor [b and [c xor d]] [alternative 1]
[0 ≤ i ≤ 19]: f = [b and c] or [[not b] and d] [alternative 2]
[0 ≤ i ≤ 19]: f = [b and c] xor [[not b] and d] [alternative 3]
[0 ≤ i ≤ 19]: f = vec_sel[d, c, b] [alternative 4]
[premo08]
_Bitwise majority function.
[40 ≤ i ≤ 59]: f = [b and c] or [d and [b or c]] [alternative 1]
[40 ≤ i ≤ 59]: f = [b and c] or [d and [b xor c]] [alternative 2]
[40 ≤ i ≤ 59]: f = [b and c] xor [d and [b xor c]] [alternative 3]
[40 ≤ i ≤ 59]: f = [b and c] xor [b and d] xor [c and d] [alternative 4]
[40 ≤ i ≤ 59]: f = vec_sel[c, b, c xor d] [alternative 5]
7 through
Bitwise choice between c and d_, controlled by_ b_. [0 ≤ i ≤ 19]: f = d xor [b and [c xor d]] [alternative 1] [0 ≤ i ≤ 19]: f = [b and c] or [[not b] and d] [alternative 2] [0 ≤ i ≤ 19]: f = [b and c] xor [[not b] and d] [alternative 3] [0 ≤ i ≤ 19]: f = vec_sel[d, c, b] [alternative 4] [premo08] _Bitwise majority function. [40 ≤ i ≤ 59]: f = [b and c] or [d and [b or c]] [alternative 1] [40 ≤ i ≤ 59]: f = [b and c] or [d and [b xor c]] [alternative 2] [40 ≤ i ≤ 59]: f = [b and c] xor [d and [b xor c]] [alternative 3] [40 ≤ i ≤ 59]: f = [b and c] xor [b and d] xor [c and d] [alternative 4] [40 ≤ i ≤ 59]: f = vec_sel[c, b, c xor d] [alternative 5]8 are the same with the MD5 algorithm, and the fifth [for
Bitwise choice between c and d_, controlled by_ b_. [0 ≤ i ≤ 19]: f = d xor [b and [c xor d]] [alternative 1] [0 ≤ i ≤ 19]: f = [b and c] or [[not b] and d] [alternative 2] [0 ≤ i ≤ 19]: f = [b and c] xor [[not b] and d] [alternative 3] [0 ≤ i ≤ 19]: f = vec_sel[d, c, b] [alternative 4] [premo08] _Bitwise majority function. [40 ≤ i ≤ 59]: f = [b and c] or [d and [b or c]] [alternative 1] [40 ≤ i ≤ 59]: f = [b and c] or [d and [b xor c]] [alternative 2] [40 ≤ i ≤ 59]: f = [b and c] xor [d and [b xor c]] [alternative 3] [40 ≤ i ≤ 59]: f = [b and c] xor [b and d] xor [c and d] [alternative 4] [40 ≤ i ≤ 59]: f = vec_sel[c, b, c xor d] [alternative 5] - is similar. However they were not properly verified for being resistant against inversion of the few first rounds to infer possible collisions on some bits, usable by multiblock differential attacks.
Instead of the formulation from the original FIPS PUB 180-1 shown, the following equivalent expressions may be used to compute
wi] = [w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]] [leftrotate 1
0 in the main loop above:
Bitwise choice between c and d_, controlled by_ b_. [0 ≤ i ≤ 19]: f = d xor [b and [c xor d]] [alternative 1] [0 ≤ i ≤ 19]: f = [b and c] or [[not b] and d] [alternative 2] [0 ≤ i ≤ 19]: f = [b and c] xor [[not b] and d] [alternative 3] [0 ≤ i ≤ 19]: f = vec_sel[d, c, b] [alternative 4] [premo08] _Bitwise majority function. [40 ≤ i ≤ 59]: f = [b and c] or [d and [b or c]] [alternative 1] [40 ≤ i ≤ 59]: f = [b and c] or [d and [b xor c]] [alternative 2] [40 ≤ i ≤ 59]: f = [b and c] xor [d and [b xor c]] [alternative 3] [40 ≤ i ≤ 59]: f = [b and c] xor [b and d] xor [c and d] [alternative 4] [40 ≤ i ≤ 59]: f = vec_sel[c, b, c xor d] [alternative 5]
It was also shown that for the rounds 32–79 the computation of:
wi] = [w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]] [leftrotate 1
can be replaced with:
wi] = [w[i-6] xor w[i-16] xor w[i-28] xor w[i-32]] [leftrotate 2
This transformation keeps all operands 64-bit aligned and, by removing the dependency of
wi] = [w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]] [leftrotate 1
1 on
wi] = [w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]] [leftrotate 1
2, allows efficient SIMD implementation with a vector length of 4 like x86 SSE instructions.
Comparison of SHA functions[edit]
In the table below, internal state means the "internal hash sum" after each compression of a data block.
Comparison of SHA functions
- view
- talk
- edit
Algorithm and variant Output size [bits] Internal state size [bits] Block size [bits] Rounds Operations Security against collision attacks [bits] Security against length extension attacks [bits] Performance on Skylake [median cpb] First published Long messages 8 bytes MD5 [as reference] 128 128 [4 × 32]512 4 [16 operations in each round] And, Xor, Or, Rot, Add [mod 232]≤ 18 [collisions found] 0 4.99 55.00 1992SHA-0160 160 [5 × 32]512 80 And, Xor, Or, Rot, Add [mod 232]< 34 [collisions found] 0 ≈ SHA-1 ≈ SHA-1 1993SHA-1< 63 [collisions found] 3.47 52.00 1995SHA-2SHA-224 SHA-256 224 256 256 [8 × 32]512 64 And, Xor, Or, Rot, Shr, Add [mod 232]112 128 32 0 7.62 7.63 84.50 85.25 2004 2001 SHA-384 384 512 [8 × 64]1024 80 And, Xor, Or, Rot, Shr, Add [mod 264]1921285.12 135.75 2001 SHA-512 512 256 0 5.06 135.50 2001SHA-512/224 SHA-512/256224 256 112 128 288 256≈ SHA-384 ≈ SHA-3842012SHA-3SHA3-224 SHA3-256 SHA3-384 SHA3-512 224 256 384 512 1600 [5 × 5 × 64]1152 1088 832 57624And, Xor, Rot, Not 112 128 192 256 448 512 768 1024 8.12 8.59 11.06 15.88 154.25 155.50 164.00 164.00 2015 SHAKE128 SHAKE256d [arbitrary] d [arbitrary]1344 1088 min[d/2, 128] min[d/2, 256] 256 5127.08 8.59 155.25 155.50
Implementations[edit]
Below is a list of cryptography libraries that support SHA-1:
- Botan
- Bouncy Castle
- cryptlib
- Crypto++
- Libgcrypt
- Mbed TLS
- Nettle
- LibreSSL
- OpenSSL
- GnuTLS
Hardware acceleration is provided by the following processor extensions:
- Intel SHA extensions: Available on some Intel and AMD x86 processors.
- VIA PadLock
- IBM z/Architecture: Available since 2003 as part of the Message-Security-Assist Extension
See also[edit]
- Comparison of cryptographic hash functions
- Hash function security summary
- International Association for Cryptologic Research
- Secure Hash Standard
Notes[edit]
- ^ Stevens, Marc [June 19, 2012]. Attacks on Hash Functions and Applications [PDF] [PhD thesis]. Leiden University. hdl:1887/19093. ISBN 9789461913173. OCLC 795702954.
- ^ Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik [2017]. Katz, Jonathan; Shacham, Hovav [eds.]. The First Collision for Full SHA-1 [PDF]. Advances in Cryptology – CRYPTO 2017. Lecture Notes in Computer Science. Vol. 10401. Springer. pp. 570–596. doi:10.1007/978-3-319-63688-7_19. ISBN 9783319636870. Archived from the original [PDF] on May 15, 2018. Retrieved February 23, 2017.
- Marc Stevens; Elie Bursztein; Pierre Karpman; Ange Albertini; Yarik Markov; Alex Petit Bianco; Clement Baisse [February 23, 2017]. "Announcing the first SHA1 collision". Google Security Blog.
- ^ "Secure Hash Standard [SHS]" [PDF]. National Institute of Standards and Technology. 2015. doi:10.6028/NIST.FIPS.180-4. Federal Information Processing Standards Publication 180-4. Archived from the original [PDF] on 2020-01-07. Retrieved 2019-09-23.
- ^ "The end of SHA-1 on the Public Web". Mozilla Security Blog. 23 February 2017. Retrieved 2019-05-29.
- ^ "SHA-1 Broken – Schneier on Security". www.schneier.com.
- ^ "Critical flaw demonstrated in common digital security algorithm". Nanyang Technological University, Singapore. 24 January 2020.
- ^ "New Cryptanalytic Results Against SHA-1 – Schneier on Security". www.schneier.com.
- ^ Leurent, Gaëtan; Peyrin, Thomas [2020-01-05]. "SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" [PDF]. Cryptology ePrint Archive, Report 2020/014.
- ^ "Google will drop SHA-1 encryption from Chrome by January 1, 2017". VentureBeat. 2015-12-18. Retrieved 2019-05-29.
- ^ Stevens1, Marc; Karpman, Pierre; Peyrin, Thomas. "The SHAppening: freestart collisions for SHA-1". Retrieved 2015-10-09. wi] = [w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]] [leftrotate 1 3: CS1 maint: numeric names: authors list [link]
- Schneier, Bruce [February 18, 2005]. "Schneier on Security: Cryptanalysis of SHA-1".
- "NIST.gov – Computer Security Division – Computer Security Resource Center". Archived from the original on 2011-06-25. Retrieved 2019-01-05.
- Schneier, Bruce [8 October 2015]. "SHA-1 Freestart Collision". Schneier on Security.
- "NIST Retires SHA-1 Cryptographic Algorithm" [Press release]. NIST. 2022-12-15.
- Goodin, Dan [2016-05-04]. "Microsoft to retire support for SHA1 certificates in the next 4 months". Ars Technica. Retrieved 2019-05-29.
- "CWI, Google announce first collision for Industry Security Standard SHA-1". Retrieved 2017-02-23.
- Barker, Elaine [May 2020]. Recommendation for Key Management: Part 1 – General, Table 3 [Technical Report]. NIST. p. 56. doi:10.6028/NIST.SP.800-57pt1r5.
- "RSA FAQ on Capstone".
- Selvarani, R.; Aswatha, Kumar; T V Suresh, Kumar [2012]. Proceedings of International Conference on Advances in Computing. Springer Science & Business Media. p. 551. ISBN 978-81-322-0740-5.
- Secure Hash Standard, Federal Information Processing Standards Publication FIPS PUB 180, National Institute of Standards and Technology, 11 May 1993
- Kramer, Samuel [11 July 1994]. "Proposed Revision of Federal Information Processing Standard [FIPS] 180, Secure Hash Standard". Federal Register.
- fgrieu. "Where can I find a description of the SHA-0 hash algorithm?". Cryptography Stack Exchange.
- Computer Security Division, Information Technology Laboratory [2017-01-04]. "NIST Policy on Hash Functions – Hash Functions | CSRC | CSRC". CSRC | NIST. Retrieved 2023-08-27.
- Computer Security Division, Information Technology Laboratory [2017-01-04]. "NIST Policy on Hash Functions – Hash Functions | CSRC | CSRC". CSRC | NIST. Retrieved 2023-08-27.
- "Tech Talk: Linus Torvalds on git". YouTube. Retrieved November 13, 2013.
- Torvalds, Linus. "Re: Starting to think about sha-256?". marc.info. Retrieved 30 May 2016.
- Sotirov, Alexander; Stevens, Marc; Appelbaum, Jacob; Lenstra, Arjen; Molnar, David; Osvik, Dag Arne; de Weger, Benne [December 30, 2008]. "MD5 considered harmful today: Creating a rogue CA certificate". Retrieved March 29, 2009.
- "Strengths of Keccak – Design and security". The Keccak sponge function family. Keccak team. Retrieved 20 September 2015. Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.
- "Schneier on Security: Cryptography Engineering". www.schneier.com. Retrieved 2023-08-27.
- Chabaud, Florent; Joux, Antoine [October 3, 1998]. "Differential collisions in SHA-0". In Krawczyk, Hugo [ed.]. Advances in Cryptology – CRYPTO '98. Lecture Notes in Computer Science. Vol. 1462. Springer. pp. 56–71. doi:10.1007/BFb0055720. ISBN 978-3-540-64892-5 – via Springer Link.
- Biham, Eli; Chen, Rafi. "Near-Collisions of SHA-0" [PDF].
- "Report from Crypto 2004". Archived from the original on 2004-08-21. Retrieved 2004-08-23.
- Grieu, Francois [18 August 2004]. "Re: Any advance news from the crypto rump session?". Newsgroup: sci.crypt. Event occurs at 05:06:02 +0200. Usenet: fgrieu-05A994.05060218082004@individual.net.
- Efficient Collision Search Attacks on SHA-0 Archived 2005-09-10 at the Wayback Machine, Shandong University
- Manuel, Stéphane; Peyrin, Thomas [2008-02-11]. Collisions on SHA-0 in One Hour [PDF]. Fast Software Encryption 2008. Lecture Notes in Computer Science. Vol. 5086. pp. 16–35. doi:10.1007/978-3-540-71039-4_2. ISBN 978-3-540-71038-7.
- "NIST Brief Comments on Recent Cryptanalytic Attacks on Secure Hashing Functions and the Continued Security Provided by SHA-1". 23 August 2017. Retrieved 2022-03-16.
- Rijmen, Vincent; Oswald, Elisabeth [2005]. "Update on SHA-1". Cryptology ePrint Archive.
- Collision Search Attacks on SHA1 Archived 2005-02-19 at the Wayback Machine, Massachusetts Institute of Technology
- Lemos, Robert. "Fixing a hole in security". ZDNet.
- Cochran, Martin [2007]. "Notes on the Wang et al. 263 SHA-1 Differential Path". Cryptology ePrint Archive.
- De Cannière, Christophe; Rechberger, Christian [2006-11-15]. "Finding SHA-1 Characteristics: General Results and Applications". Advances in Cryptology – ASIACRYPT 2006. Lecture Notes in Computer Science. Vol. 4284. pp. 1–20. doi:10.1007/11935230_1. ISBN 978-3-540-49475-1.
- "IAIK Krypto Group — Description of SHA-1 Collision Search Project". Archived from the original on 2013-01-15. Retrieved 2009-06-30.
- "Collisions for 72-step and 73-step SHA-1: Improvements in the Method of Characteristics". Retrieved 2010-07-24.
- "SHA-1 Collision Search Graz". Archived from the original on 2009-02-25. Retrieved 2009-06-30.
- "heise online – IT-News, Nachrichten und Hintergründe". heise online. 27 August 2023.
- "Crypto 2006 Rump Schedule". www.iacr.org.
- Manuel, Stéphane. "Classification and Generation of Disturbance Vectors for Collision Attacks against SHA-1" [PDF]. Cryptology ePrint Archive. Retrieved 2011-05-19.
- Manuel, Stéphane [2011]. "Classification and Generation of Disturbance Vectors for Collision Attacks against SHA-1". Designs, Codes and Cryptography. 59 [1–3]: 247–263. doi:10.1007/s10623-010-9458-9. S2CID 47179704. the most efficient disturbance vector is Codeword2 first reported by Jutla and Patthak
- "SHA-1 collisions now 2^52" [PDF].
- McDonald, Cameron; Hawkes, Philip; Pieprzyk, Josef [2009]. "Differential Path for SHA-1 with complexity O[252]". Cryptology ePrint Archive. [withdrawn]
- "Cryptanalysis of MD5 & SHA-1" [PDF].
- "When Will We See Collisions for SHA-1? – Schneier on Security". www.schneier.com.
- "Google Code Archive – Long-term storage for Google Code Project Hosting". code.google.com.
- Leurent, Gaëtan; Peyrin, Thomas [2019]. "From Collisions to Chosen-Prefix Collisions Application to Full SHA-1" [PDF]. In Yuval Ishai; Vincent Rijmen [eds.]. Advances in Cryptology – EUROCRYPT 2019 [PDF]. 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19–23, 2019. Lecture Notes in Computer Science. Vol. 11478. Springer. pp. 527–555. doi:10.1007/978-3-030-17659-4_18. ISBN 978-3-030-17658-7. S2CID 153311244.
- "RFC 3174 - US Secure Hash Algorithm 1 [SHA1] [RFC3174]". www.faqs.org.
- Locktyukhin, Max [2010-03-31], "Improving the Performance of the Secure Hash Algorithm [SHA-1]", Intel Software Knowledge Base, retrieved 2010-04-02
- . bench.cr.yp.to.
- Tao, Xie; Liu, Fanbao; Feng, Dengguo [2013]. Fast Collision Attack on MD5 [PDF]. Cryptology ePrint Archive [Technical report]. IACR.
- Stevens, Marc; Bursztein, Elie; Karpman, Pierre; Albertini, Ange; Markov, Yarik. The first collision for full SHA-1 [PDF] [Technical report]. Google Research.
- Marc Stevens; Elie Bursztein; Pierre Karpman; Ange Albertini; Yarik Markov; Alex Petit Bianco; Clement Baisse [February 23, 2017]. "Announcing the first SHA1 collision". Google Security Blog.
- Without truncation, the full internal state of the hash function is known, regardless of collision resistance. If the output is truncated, the removed part of the state must be searched for and found before the hash function can be resumed, allowing the attack to proceed.
- "The Keccak sponge function family". Retrieved 2016-01-27. IBM z/Architecture Principles of Operation, publication number SA22-7832. See KIMD and KLMD instructions in Chapter 7.