2

The first block $M_0$ is one of 64 possible values, whereas the next six blocks $M_1...M_6$ are chosen randomly. The idea is to publish the SHA-1 hash of $M_0...M_6$, wait for the value of $M_0$ to be announced, and then release the original message $M_0...M_6$ - so as to prove that we can predict $M_0$ beforehand.

But now we want to fake our prediction: that is, publish a certain hash $H$, and then once $M_0$ is revealed, we publish $M_0...M_6$ such that $M_0$ is correct and it hashes to $H$.

I'm not sure if my attack should leverage properties that are specific to SHA-1: it seems unlikely that it should. But I'm lost as to how I can choose 64 different sets of 6 random blocks that hash to the same value (when concatenated with one of $M_0$'s 64 values).

Edit: I forgot to mention that the algorithm used can be probabilistic, and it should work with at least $50\%$ probability.

Matt
  • 31
  • 3

2 Answers2

2

As far as I understand, you are trying to find $M_1...M_6$ so that $H(M_0||M_1||...||M_6) = h$ for any of 64 preset values of $M_0$. This implies a collision attack on $H$, which in the case of SHA-1 has not yet been accomplished in practice (though it is probably close).

Specifically, you would need a chosen prefix collision. We have such attacks for MD5 (see e.g. the links from this answer), assuming you have enough freedom in the size/choice of $M_i$. However, there is still a ways to go before it could be accomplished for SHA-1.

Community
  • 1
otus
  • 32,462
  • 5
  • 75
  • 167
2

Assuming a naive birthday attack, you can do this by generating 63 collisions.

The idea is to create 32 colliding message pairs (64 messages total). Then take the hashes from two adjacent pairs and use those as the IV's for another row of 16 collisions. Keep doing that until you converge a single hash.

Building a collision tree that looks like this, where m and m' are colliding messages:

m0,m'0  m1,m'1  m2,m'2  m3,m`3  ...  m28,m'28  m29,m'29  m30,m'30  m31,m'31
\         /      \       /             \         /          \         /
 \       /        \     /               \       /            \       /
  m0,m'0          m1,m'1                 m14,m'14             m15,m'15             
    \               /                          \               /
     \             /                            \             /
      \           /                              \           /
         m0,m'0                                     m7,m'7


                     ..........................


                      m0,m'0,     m1,m'1
                          \        /
                            m0,m'0

Your $M_0$ would be any message from the first row, your $M_1$ would be the next message in the graph from the 2nd row, and so on.

user13741
  • 2,637
  • 13
  • 16