Expand description

An implementation of the SHA-1 cryptographic hash algorithm.

This is a port of Marc Stevens’ sha1collisiondetection algorithm to Rust. The code is translated from C to Rust using c2rust.

To improve the translation, the code is transformed first, replacing macros with inline functions. Running the test suite using make check tests the correctness of the transformation.

This crate, like the C implementation, is distributed under the MIT Software License.

§Installation of the command line utility

The command line utility is a drop-in replacement for coreutils’ sha1sum utility. It can be installed, for example, using cargo:

$ cargo install sha1collisiondetection
$ sha1cdsum --help
sha1cdsum 0.2.3
Print or check SHA1 (160-bit) checksums with collision detection.

    sha1cdsum [FLAGS] [files]...
$ sha1cdsum test/*1.*
4f3d9be4a472c4dae83c6314aa6c36a064c1fd14 *coll* test/sha-mbles-1.bin
16e96b70000dd1e7c85b8368ee197754400e58ec *coll* test/shattered-1.pdf

//! # About

This library was designed as near drop-in replacements for common SHA-1 libraries. They will compute the SHA-1 hash of any given file and additionally will detect cryptanalytic collision attacks against SHA-1 present in each file. It is very fast and takes less than twice the amount of time as regular SHA-1.

More specifically they will detect any cryptanalytic collision attack against SHA-1 using any of the top 32 SHA-1 disturbance vectors with probability 1:

    I(43,0), I(44,0), I(45,0), I(46,0), I(47,0), I(48,0), I(49,0), I(50,0), I(51,0), I(52,0),
    I(46,2), I(47,2), I(48,2), I(49,2), I(50,2), I(51,2),
    II(45,0), II(46,0), II(47,0), II(48,0), II(49,0), II(50,0), II(51,0), II(52,0), II(53,0), II(54,0), II(55,0), II(56,0),
    II(46,2), II(49,2), II(50,2), II(51,2)

The possibility of false positives can be neglected as the probability is smaller than 2^-90.

The library supports both an indicator flag that applications can check and act on, as well as a special safe-hash mode that returns the real SHA-1 hash when no collision was detected and a different safe hash when a collision was detected. Colliding files will have the same SHA-1 hash, but will have different unpredictable safe-hashes. This essentially enables protection of applications against SHA-1 collisions with no further changes in the application, e.g., digital signature forgeries based on SHA-1 collisions automatically become invalid.

For the theoretical explanation of collision detection see the award-winning paper on Counter-Cryptanalysis:

Counter-cryptanalysis, Marc Stevens, CRYPTO 2013, Lecture Notes in Computer Science, vol. 8042, Springer, 2013, pp. 129-146, https://marc-stevens.nl/research/papers/C13-S.pdf


The C implementation of the collision detection algorithm is implemented by:

  • Marc Stevens, CWI Amsterdam (https://marc-stevens.nl)
  • Dan Shumow, Microsoft Research (https://www.microsoft.com/en-us/research/people/danshu/)

The C implementation is maintained here.

Please report issues with the rust port here.


use hex_literal::hex;
use sha1collisiondetection::Sha1CD;

// create a Sha1CD object
let mut hasher = Sha1CD::default();

// process input message
hasher.update(b"hello world");

// acquire hash digest in the form of GenericArray,
// which in this case is equivalent to [u8; 20]
let result = hasher.finalize_cd().unwrap();
assert_eq!(result[..], hex!("2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"));

If this crate’s “digest-trait” feature is used, Sha1CD also implements the Digest trait from the digest crate. Also see RustCrypto/hashes readme.



  • Configures the collision-detecting SHA-1 algorithm.
  • A detected collision.
  • Structure representing the state of a SHA-1 computation.


  • Convenience wrapper trait covering functionality of cryptographic hash functions with fixed output size.

Type Aliases§