Section: New Results
Hash function cryptanalysis
Cryptographic hash functions are versatile primitives that are used in many cryptographic protocols. The security of a hash function $h$ is usually evaluated through two main notions: its preimage resistance (given a target $t$, the difficulty of finding a message $m$ s.t. $h\left(m\right)=t$) and its collision resistance (the difficulty of finding two messages $m,{m}^{\text{'}}$ s.t. $h\left(m\right)=h\left({m}^{\text{'}}\right)$).
A popular hash function is the SHA1 algorithm. Although theoretical collision attacks were found in 2005, it is still being used in some applications, for instance as the hash function in some TLS certificates. Hence cryptanalysis of SHA1 is still a major topic in cryptography.
In 2015, we improved the stateoftheart on SHA1 analysis in two ways:

T. Espitau, P.A. Fouque and P. Karpman improved the previous preimage attacks on SHA1, reaching up to 62 rounds (out of 80), up from 57. The corresponding paper was published at CRYPTO 2015 [21] .

P. Karpman, T. Peyrin and M. Stevens developed collision attacks on the compression function of SHA1 (i.e. freestart collisions). This exploits a model that is slightly more generous to the attacker in order to find explicit collisions on more rounds than what was previously possible. A first work resulted in freestart collisions for SHA1 reduced to 76 steps; this attack takes less than a week to compute on a common GPU. The corresponding paper was published at CRYPTO 2015 [24] . This was later improved to attack the full compression function. Although the attack is more expensive it is still practical, taking less than two weeks on a 64 GPU cluster. The corresponding paper is currently under review for EUROCRYPT 2016 [32] .