A team of researchers from CWI and Google have won the CRYPTO 2017 Best Paper Award. CWI cryptanalyst Marc Stevens, Elie Bursztein (Google), Pierre Karpman (CWI), Ange Albertini and Yarik Markov (Google) were awarded the prize for their work that is the first to break the SHA-1 internet security standard in practice. This industry standard is used for digital signatures and file integrity verification, which secure credit card transactions, electronic documents, GIT open-source software repositories and software distribution.
The award winners explained their groundbreaking research in a plenary talk – ‘The first collision for full SHA-1’ – on 22 August 2017, during CRYPTO 2017, the 37th International Cryptology Conference of the International Association for Cryptologic Research (IACR) in Santa Barbara (USA). The program covers all aspects of cryptology.
The research team announced their breaking of SHA-1 on 23 February 2017, for which they were also awarded the BlackHat USA 2017 Pwnie Award for Best Cryptographic Attack earlier this month. Although the SHA-1 standard is deprecated, it is still used in practice. The research team showed that SHA-1 is not safe anymore and that the transition to safer standards must take place as soon as possible. Last week, Stevens and Daniel Shumow (Microsoft Research) presented an improved real-time SHA-1 collision detection during the USENIX Security conference in Vancouver (August 2017), which is now used by default in Git, GitHub, Gmail, Google Drive, and Microsoft OneDrive.
The pioneering research by Marc Stevens over the past decade has been done in the Cryptology group at the Centrum Wiskunde & Informatica (CWI) national research centre in Amsterdam. This group investigates fundamental cryptographic questions from a broad scientific perspective, particularly from mathematics, computer science and physics.
Marc Stevens and the CRYPTO 2017 Best Paper Award winning team (22 August 2017). Source: Marc Stevens.
More information
- the conference programme: https://www.iacr.org/conferences/crypto2017/program.html
- details about the SHA1 attack: https://shattered.io
- press release on breaking industry standard SHA-1, Feb. 2017:
CWI and Google announce first collision for Industry Security Standard SHA-1
- 2009 MD5 Rogue Certification Authority: https://www.win.tue.nl/hashclash/rogue-ca
- Winner of the CRYPTO 2009 Best Paper Award
- https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/stevens