Editing SHA-1 (section)

==Development==
[[File:SHA-1.svg|thumbnail|right|300px|One iteration within the SHA-1 compression function:{{ubli
 | A, B, C, D and E are 32-bit [[Word (data type)|words]] of the state;
 | ''F'' is a nonlinear function that varies;
 | {{tmath|\lll_n}} denotes a left bit rotation by ''n'' places;
 | ''n'' varies for each operation;
 | W<sub>''t''</sub> is the expanded message word of round ''t'';
 | K<sub>''t''</sub> is the round constant of round ''t'';
 | [[Image:Boxplus.png|alt=⊞|Addition]] denotes addition modulo 2<sup>32</sup>.
}}]]

SHA-1 produces a [[message digest]] based on principles similar to those used by [[Ron Rivest|Ronald L. Rivest]] of [[Massachusetts Institute of Technology|MIT]] in the design of the [[MD2 (hash function)|MD2]], [[MD4]] and [[MD5]] message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits).

SHA-1 was developed as part of the U.S. Government's [[Capstone (cryptography)|Capstone project]].<ref>{{cite web| url = http://x5.net/faqs/crypto/q150.html| title = RSA FAQ on Capstone}}</ref> The original specification of the algorithm was published in 1993 under the title ''Secure Hash Standard'', [[Federal Information Processing Standard|FIPS]] PUB 180, by U.S. government standards agency [[NIST]] (National Institute of Standards and Technology).<ref>{{cite book|last1=Selvarani|first1=R.|last2=Aswatha|first2=Kumar|last3=T V Suresh|first3=Kumar|title=Proceedings of International Conference on Advances in Computing|page=551|url=https://books.google.com/books?id=L2OFg7OiV9YC&pg=PA551|date=2012|publisher=Springer Science & Business Media|isbn=978-81-322-0740-5}}</ref><ref>{{citation|title=Secure Hash Standard, Federal Information Processing Standards Publication FIPS PUB 180|institution=National Institute of Standards and Technology|date=11 May 1993}}</ref> This version is now often named ''SHA-0''. It was withdrawn by the [[NSA]] shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly designated ''SHA-1''. SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its [[One-way compression function|compression function]]. According to the NSA, this was done to correct a flaw in the original algorithm which reduced its cryptographic security, but they did not provide any further explanation.<ref>{{cite web |last1=Kramer |first1=Samuel |title=Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard |url=https://www.federalregister.gov/documents/1994/07/11/94-16666/proposed-revision-of-federal-information-processing-standard-fips-180-secure-hash-standard |website=Federal Register |date=11 July 1994}}</ref><ref>{{cite web |last1=fgrieu |title=Where can I find a description of the SHA-0 hash algorithm? |url=https://crypto.stackexchange.com/a/62071 |website=Cryptography Stack Exchange}}</ref> Publicly available techniques did indeed demonstrate a compromise of SHA-0, in 2004, before SHA-1 in 2017 (''see [[#Attacks|§Attacks]]'').