Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Jun 2012 17:28:21 +0400
From: Solar Designer <>
To: "Andries E. Brouwer" <>
Cc:, Tavis Ormandy <>
Subject: Re: raw-sha1_li

Andries -

Thank you for reporting this issue to us.

All - please note that Andries is not subscribed, so please keep him
CC'ed on replies.  Ditto for Tavis (CC'ed here).

On Tue, Jun 26, 2012 at 12:12:00PM +0200, Andries E. Brouwer wrote:
> There are two entirely different hashes:
> 1. raw-sha1
> 2. raw-sha1 followed by zeroing the first 20 bits
> They should have different names since they differ.
> For example, the linkedin dump contains the hashes
> a96807e7bd710592ee36264a72d6aa35c2d165f9
> 000007e7bd710592ee36264a72d6aa35c2d165f9
> Now sunshine09 has sha1sum
> 3b1787e7bd710592ee36264a72d6aa35c2d165f9
> so that it qualifies for the second hash, but not for the first one.

That's a curious discovery.  It pretty much implies that the
a96807e7bd710592ee36264a72d6aa35c2d165f9 hash in the dump is not valid
(has its first 20 bits overwritten with non-zeroes), because it is
unrealistic that we hit a true 140-bit SHA-1 collision without even
trying to trigger that.

Tavis - what was the closest SHA-1 near-collision that you managed to hit?
And the closest for sequential bits (like 140 in a row that we have
here, rather than 140 scattered throughout the 160)?

> This means that raw-sha1 and raw-sha1_LI must be kept separate.
> It also means that it is a bad idea to call them both $dynamic_26$.

Not necessarily.

Thanks again,


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.