up:: Classical Cryptography MOC
SHA-1
SHA-1 is a 160-bit cryptographic hash function published by NIST in 1995, once the default fingerprint for digital signatures, TLS certificates, and software integrity, and now formally retired because researchers can produce two different inputs that share one SHA-1 digest. The turning point was a working collision: in 2017 a team at CWI Amsterdam and Google generated two distinct PDF files with an identical SHA-1 hash, breaking the one property signatures and certificates depend on. NIST is disallowing SHA-1 by the end of 2030 and points remaining users to SHA-2 or SHA-3. Its lesson for the quantum transition is a classical one: a primitive the whole world trusted became dangerous a decade before anyone worried about quantum computers, which is why systems must be built to swap algorithms on short notice.
Source: NIST, “NIST Retires SHA-1 Cryptographic Algorithm,” December 15, 2022, nist.gov.
The short version:
- SHA-1 produces a 160-bit digest, which gives an ideal collision resistance of only about 2^80, low enough that a well-funded attacker can now beat it in practice.
- The break is a collision break, not a quantum one. Cryptographers found theoretical collisions in 2005, and the 2017 SHAttered result produced two real PDFs with the same SHA-1 hash.
- The 2020 “SHA-1 is a Shambles” attack made it worse by demonstrating a chosen-prefix collision for roughly $45,000 in rented computing time, which is the kind of collision an attacker actually weaponizes.
- NIST retired SHA-1 on December 15, 2022 and set December 31, 2030 as the date it becomes disallowed, with SHA-2 and SHA-3 as the replacements.
- The lasting lesson is about crypto-agility: an algorithm can go from trusted to dangerous well before any quantum computer exists, so the ability to rotate primitives cleanly is a core requirement, not a nice-to-have.
Picture a wax seal that every office in the country pressed onto its important documents, trusting that no two documents could ever carry the same seal. For years that held. Then a forger worked out how to craft two completely different letters that press out an identical seal, so the seal stops proving which letter is the real one. Nothing about the wax changed. The confidence people placed in it did, and every document sealed that way had to be re-sealed with a new stamp. SHA-1 is that seal, and the migration to a stronger hash is the re-stamping.
What is SHA-1?
SHA-1 is a cryptographic hash function that takes an input of any length and deterministically compresses it into a fixed 160-bit digest, written as 40 hexadecimal characters. NIST published it in 1995 as FIPS 180-1, a corrected successor to the short-lived SHA-0 from 1993, and it was designed by the National Security Agency. For roughly two decades it was the most widely deployed hash on the internet, sitting underneath certificates, signatures, and integrity checks the same way SHA-256 does today.
Like any cryptographic hash, SHA-1 was built to provide three properties:
- Preimage resistance. Given a digest, you cannot feasibly find any input that produces it.
- Second-preimage resistance. Given one input, you cannot feasibly find a different input with the same digest.
- Collision resistance. You cannot feasibly find any two different inputs that share a digest at all.
The third property is where SHA-1 fell apart. Because the digest is only 160 bits, the best-case collision resistance is about 2^80 work from the birthday bound alone, which was already a modest margin by modern standards. Cryptanalysis then pushed the real cost far below even that, and the algorithm went from theoretically weak to practically broken.
Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
How does SHA-1 work?
SHA-1 uses the same overall shape as SHA-256: a Merkle-Damgard construction that chains a fixed-size compression function over the message block by block. The process runs in a fixed sequence:
- Padding. The message is padded so its total length is a multiple of 512 bits, with the original length encoded into the final bits.
- Blocking. The padded message is split into 512-bit blocks.
- Chaining. SHA-1 keeps a 160-bit internal state, initialized to five fixed 32-bit constants. Each block is fed into the compression function with the current state, and the result becomes the state for the next block.
- Compression. For each block, the compression function runs 80 rounds, expanding the 512-bit block into a message schedule and mixing it into the state with modular addition, bitwise XOR, rotations, and a small set of round functions.
- Output. After the last block, the final 160-bit state is the digest.
The structural weakness is not the Merkle-Damgard chaining, which SHA-256 also uses safely at a larger size. It is the internal round design combined with the short 160-bit output. Cryptanalysts found differential paths through SHA-1’s rounds that let them steer two different messages toward the same internal state far more cheaply than brute force, and the narrow digest left little headroom to absorb that. A 256-bit or larger output would not have saved a design this attackable, but the small size made the practical attack cheaper once the mathematical opening was found.
Source: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, csrc.nist.gov/pubs/fips/180-4/final.
What was SHA-1 used for?
SHA-1 spent two decades as a default hash almost everywhere trust and integrity were needed, which is why its retirement touches so many systems. Its common jobs were:
- Certificate and TLS signatures. Certificate authorities signed X.509 and TLS certificates over a SHA-1 digest, binding a certificate’s identity to the issuer. Browsers began distrusting SHA-1 certificates in 2017 for exactly the reason below.
- Code signing and software updates. Signed installers and update packages hashed their contents with SHA-1 before signing.
- Version control and content addressing. Git historically names every object by its SHA-1 hash, and other content-addressed systems did the same.
- PGP and email trust. OpenPGP certifications and key signatures used SHA-1, which is the surface the 2020 chosen-prefix attack targeted.
- File integrity checksums. Published SHA-1 checksums were used to confirm a download had not been altered.
- HMAC and key derivation. HMAC-SHA-1 authenticated messages and derived keys.
The pattern is that SHA-1 was a trust-and-integrity workhorse, so its failure is not a niche problem. It is a fingerprint that millions of systems relied on to prove that data is what it claims to be, which is precisely the property a collision destroys.
Source: A. Langley and others, “Gradually sunsetting SHA-1,” Google Security Blog, September 2014, and browser distrust timelines summarized by the CA/Browser Forum, cabforum.org.
Why is SHA-1 broken?
SHA-1 is broken because attackers can find collisions, meaning two different inputs that produce the same digest, at a cost that a motivated adversary can now pay. The break arrived in stages, each one closer to a real-world attack:
- Theoretical collisions, 2005. Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu showed that collisions in full SHA-1 could be found in roughly 2^69 operations, well below the 2^80 birthday bound, and later refinements pushed the estimate lower. This proved SHA-1 was weaker than its output size implied, though nobody had yet produced an actual collision.
- A real collision, 2017 (SHAttered). Marc Stevens and Pierre Karpman of CWI Amsterdam, with Elie Bursztein, Ange Albertini, and Yarik Markov of Google, produced the first genuine SHA-1 collision on February 23, 2017: two visibly different PDF files with the identical SHA-1 hash
38762cf7f55934b34d179ae6a4c80cadccbb7f0a. It took roughly nine quintillion SHA-1 computations, about 6,500 CPU-years and 110 GPU-years run in parallel. That was an identical-prefix collision, powerful as a proof but limited in what an attacker could forge. - A weaponizable collision, 2020 (Shambles). Gaetan Leurent and Thomas Peyrin demonstrated the first chosen-prefix collision against SHA-1, where an attacker picks two arbitrary starting documents and still forces a hash match. Their attack cost about $45,000 in rented GPU time and let them forge a PGP key certification, so one person could impersonate another and sign documents in their name.
The 2020 result is the one that ended the argument. A chosen-prefix collision is the shape of attack that forges certificates and signatures against targets the attacker chooses, at a price a small budget covers, and it keeps getting cheaper. Once that existed, SHA-1 had no defensible role left in signing or certification.
Sources: X. Wang, Y. L. Yin, H. Yu, “Finding Collisions in the Full SHA-1,” CRYPTO 2005, link.springer.com
M. Stevens, E. Bursztein, P. Karpman, A. Albertini, Y. Markov, “The first collision for full SHA-1,” CRYPTO 2017, shattered.io
G. Leurent, T. Peyrin, “SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust,” USENIX Security 2020, sha-mbles.github.io.
When is SHA-1 fully retired?
SHA-1 is being disallowed on a firm schedule set by NIST. On December 15, 2022, NIST announced the retirement of SHA-1 and set December 31, 2030 as the date after which its use is disallowed, directing all remaining users to migrate to SHA-2 or SHA-3 as soon as possible. NIST also stated it would publish FIPS 180-5 to remove the SHA-1 specification and revise SP 800-131A and other affected guidance to reflect the retirement.
The 2030 date is the formal end of a long wind-down, not the start of concern. NIST had already disallowed SHA-1 for generating digital signatures years earlier, and the major browsers and certificate authorities stopped trusting SHA-1 TLS certificates back in 2016 and 2017. The 2022 announcement closes the remaining legacy uses on a fixed deadline, which is what turns a known-weak algorithm into a compliance obligation with a date attached.
Source: NIST, “NIST Retires SHA-1 Cryptographic Algorithm,” December 15, 2022, nist.gov.
What replaces SHA-1, and how does it compare to SHA-256?
The replacement is the SHA-2 family, most commonly SHA-256, or the newer SHA-3 family for defense-in-depth. Both are unbroken and carry far more margin, and both survive the quantum transition because the strongest quantum attack on a hash, Grover’s algorithm, only halves the effective strength rather than breaking it. The comparison that matters:
| Property | SHA-1 | SHA-256 |
|---|---|---|
| Output size | 160-bit | 256-bit |
| Ideal collision resistance | ~2^80 | ~2^128 |
| Best known collision attack | Practical, chosen-prefix ~$45,000 (2020) | None; full strength holds |
| NIST status | Disallowed after December 31, 2030 | Approved, retained through the quantum transition |
| Quantum verdict | Already dead classically, so quantum is moot | Survives; Grover leaves ~128-bit preimage strength |
| Why | Short digest plus attackable round design let attackers force collisions | Wider digest and stronger design keep collisions out of reach |
The practical read is that SHA-256 is a drop-in fingerprint with a vastly wider safety margin, and moving from SHA-1 to SHA-256 is a straightforward swap of the hash, not a redesign of the system around it. The reason so many organizations still carry SHA-1 is not that the swap is hard in isolation. It is that they cannot easily find every place SHA-1 is used, which is the crypto-agility problem below.
Sources: NIST, “NIST Retires SHA-1 Cryptographic Algorithm,” December 15, 2022, nist.gov
NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
What does SHA-1’s failure teach about crypto-agility?
SHA-1’s story is the clearest classical proof of why crypto-agility is load-bearing: an algorithm can go from trusted to dangerous long before any exotic threat like a quantum computer shows up, and the organizations that suffered most were the ones that could not locate and rotate the primitive quickly. The lesson breaks into three parts:
- Trust in a primitive is temporary. SHA-1 was a government-standard hash that the entire internet leaned on, and it was mathematically broken by ordinary academic cryptanalysis, on classical computers, over about fifteen years. No quantum computer was involved. The mere passage of time and research was enough.
- Discovery is harder than replacement. Swapping SHA-1 for SHA-256 in one system is easy. Finding every certificate, signature, script, embedded device, and vendor product that still uses SHA-1 across a large estate is the slow, expensive part, and it is why the retirement took a decade and a legal deadline.
- Agility has to be designed in advance. Systems that abstracted their hash choice could rotate with a configuration change. Systems that hard-coded SHA-1 into protocols, firmware, or file formats had to be re-engineered. The difference between those two outcomes was decided years earlier, when the system was built.
This is the exact shape of the post-quantum migration, which is why SHA-1 is worth studying before touching quantum at all. The vulnerable public-key algorithms that Shor’s algorithm breaks are far more urgent than SHA-1 ever was, but the discipline is identical: know where your cryptography lives, and build so you can replace a primitive on short notice. An organization that could not retire a broken hash in fifteen years will not gracefully replace RSA and elliptic-curve cryptography under a tighter clock.
Source: NIST, “NIST Retires SHA-1 Cryptographic Algorithm,” December 15, 2022, nist.gov.
Is SHA-1 a quantum problem?
No. SHA-1 was broken by classical cryptanalysis and has nothing left for a quantum computer to threaten, because it is already unfit for the uses that mattered. This is the opposite of the SHA-256 situation, where the algorithm is sound and the only question is how much margin a future quantum machine erodes. SHA-1’s collisions come from differential attacks on its round structure and its narrow 160-bit output, both of which are classical weaknesses that existed and were exploited years before quantum resource estimates entered the conversation.
The one honest quantum footnote is that Grover’s algorithm would, in principle, further reduce SHA-1’s preimage strength, just as it does for any hash. That is irrelevant in practice. You do not reach for a quantum computer to attack an algorithm that a rented cluster of GPUs already defeats. SHA-1 belongs in the classical-foundations part of this guide precisely because its lesson lands without any quantum machinery, and that lesson is what carries forward into the real quantum work.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Common misconceptions
- “SHA-1 is weak because of quantum computers.” It was broken by classical cryptanalysis. The 2017 and 2020 collision attacks ran on ordinary hardware and had nothing to do with quantum computing.
- “A collision attack means SHA-1 leaks the original input.” It does not. A collision means an attacker can craft two inputs with the same digest, which defeats signatures and certificates. It does not let anyone reverse a digest back to its input.
- “If browsers stopped trusting SHA-1 years ago, it’s already gone.” Certificate distrust in 2016 and 2017 closed the TLS surface, but SHA-1 persisted in code signing, legacy protocols, embedded devices, and internal systems, which is why NIST needed a hard 2030 deadline.
- “HMAC-SHA-1 is broken too.” HMAC does not rely on collision resistance, so HMAC-SHA-1 held up far better than SHA-1 signatures. Even so, NIST’s retirement steers new work off SHA-1 entirely, and there is no reason to build on it now.
- “Moving to SHA-256 requires redesigning the system.” For most uses it is a straightforward swap of the hash. The genuine effort is finding every place SHA-1 is used, not replacing it once found.
- “SHA-2 is next to fall because SHA-1 fell.” SHA-2 is a different, stronger design with a much wider output, and no practical attack threatens it. NIST retains SHA-2 through the quantum transition and adds SHA-3 as an independent backup.
Questions people ask
Is SHA-1 safe to use today? No. It is broken for any use that depends on collision resistance, including certificates and signatures, and NIST has set December 31, 2030 as the date it becomes disallowed. New systems should use SHA-256 or SHA-3.
What actually broke SHA-1? Collision attacks. Cryptographers found theoretical collisions in 2005, produced a real collision between two PDFs in the 2017 SHAttered result, and demonstrated a weaponizable chosen-prefix collision in 2020 for about $45,000, which is the kind that forges signatures.
What should I replace SHA-1 with? SHA-256 from the SHA-2 family is the standard choice, and SHA-3 is available for defense-in-depth. Both are unbroken and both carry forward through the quantum transition.
Does the SHA-1 collision let an attacker read hashed data? No. A collision is about crafting two inputs with the same digest, which undermines integrity and trust. It does not reverse a hash or recover a hashed secret.
Is Git insecure because it uses SHA-1? Git’s use of SHA-1 for naming objects is not a signature, so a collision is less immediately dangerous, and Git added collision detection after SHAttered. The Git project has also been moving toward SHA-256 object names. Treat SHA-1 as unsuitable for any new trust decision regardless.
Why did retiring SHA-1 take so long if it was broken in 2005? Because finding and replacing every use of a hash across certificates, code signing, embedded firmware, and vendor products is slow, expensive discovery work. That gap between a known break and a completed migration is the crypto-agility lesson SHA-1 teaches.
Is HMAC-SHA-1 also disallowed? HMAC-SHA-1 rests on a different property than collision resistance and has held up better, but NIST’s retirement moves all new work off SHA-1. There is no good reason to build new systems on it when SHA-256-based options are available.
What does SHA-1 have to do with the quantum migration? It is the proof case. A trusted primitive became dangerous well before quantum computers existed, and only the organizations built for crypto-agility could rotate cleanly. The post-quantum migration is the same discipline under a tighter deadline.
Everything here is the map, given freely. When your team needs its own cryptography inventoried and sorted into what has to move and what can stay, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.