We are creating some awesome events for you. Kindly bear with us.

NTU Singapore and INRIA Address Key Flaw in Digital Security Algorithm

Security Flaw in Algorithm SHA 1

It is a consistent effort to ensure that a business’s or organisation’s digital security efforts remain robust in an ever-changing landscape. Hackers are constantly finding new ways to penetrate the rigid walls of security and it is ever so crucial to be steadfast and prepared for such attacks. It is also important to ensure that the security features used are accurate and functional.

As such, cryptographic experts from the Nanyang Technological University, Singapore (NTU Singapore) and the French national research institute for digital sciences INRIA in Paris have revealed a critical security flaw in a commonly used security algorithm called SHA-1. It allows hackers to create hoax files and data, under the false pretences of authentic information.

The researchers working on this have established that the use of SHA-1 as a security algorithm should be boycotted and that companies have to refrain from using it.

SHA-1 is a hash function and can be understood to be a building block in cryptography, used in almost every digital authentication process. It supports the security of many digital applications in internet banking, web-based communications, and payment portals of online shopping sites.

The hash function of this algorithm produces a short digital fingerprint, called a hash value, out of a long input message.

If an attacker finds it challenging to find two different inputs that lead to identical has values, the hash function will be considered to be secure. If two different inputs share the same value, it is said that a ‘collision’ has occurred.

SHA-1 was developed by the United States’ National Security Agency (NSA) in the early 1990s. It has been widely integrated into several pieces of software and it continues to be used extensively. It, however, has come under the security by researchers who questioned its validity.

This was especially the case in 2005 when a range of security flaws was theorised and discovered within SHA-1. Recently in 2017, academics from the Dutch research institute Centrum Wiskunde & Informatica (CWI) and Google had created the first practical SHA-1 hash collision. They displayed that it was possible to discover two different input messages that produced the same SHA-1 hash value.

This research work saw the use of a large Google-hosted graphics processing units (GPU) cluster but it did not allow for input messages to be modified according to preference.

Back in May 2019, NTU’s Associate Professor Thomas Peyrin at the School of Physical and Mathematical Sciences and INRIA’s Dr Gaëtan Leurent, used enhanced mathematical procedures to create the first-ever ‘chosen-prefix collision attack’ for SHA-1.

They have now improved it such as to use a cluster of 900 GPUs. The GPUs were run over two months and have successfully shown that this method is able to disrupt the SHA-1 algorithm. The information on this has been published in a paper on the International Association for Cryptologic Research e-print site.

NTU Assoc Prof Peyrin and Dr Leurent had presented their findings at the Real World Crypto Symposium held in New York City, in January this year. They advised that the use of SHA-1 poses as a high threat to users due to its vulnerability to attacks, regardless of whether its use is low or only for backward compatibility. They stressed the critical need to fully phase out SHA-1 as soon as possible.

Both the researchers displayed the findings with the use of a chosen-prefix collision which specifically attacked a type of file called a PGP/GnuPG certificate. This form of certificate is a digital proof of identity that depends on SHA-1 as a hash function.

This demonstration showed that a chosen-prefix collision attack confirms that it is possible to forge specific digital documents, such that they have a correct fingerprint and be shown to be authentic with using SHA-1.

SHA-1 is gradually being removed from the industry but SHA-1 algorithm is still being in several applications. The algorithm now presents itself to be insecure and researchers hope that system owners will act promptly to phase out the use of the SHA-1 algorithm.

Assoc Prof Peyrin explained that a chosen-prefix collision attack signifies that an attacker can commence an attack with any first part of the two messages and subsequently amend the rest. Despite this, the fingerprint values produced remain the same and will still collide.

“As a result of our work, developers of software packages dealing with digital certificates have in the last few months already applied counter-measures in their last versions, treating SHA-1 as insecure,” he added. The hope in place is that the publication of the study will push the industry to steer away from the use of weak cryptographic functions.

Additionally, the newer has functions, such as those from the SHA-2 family of hash functions created in 2001 remain unaffected by the attack.

Assoc Prof Peyrin and his team have a vision to further boost digital security standards used in other everyday digital products and services. “Moving forward, we will continue to analyse the algorithms that keep our everyday digital applications secure as more services around the world become digitised,” he said.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend