When will SHA-1 be deprecated?

Already disallowed (since 2013)

Hash Function

Is SHA-1 Quantum Safe?

Not Quantum Safe

No. SHA-1 is not quantum safe — and it is already broken by classical attacks. Google demonstrated a practical SHA-1 collision in 2017 (SHAttered).

Key Takeaway: SHA-1 is NOT quantum safe. Replace immediately with SHA-256 or SHA-384. This is a critical classical vulnerability.

Technical Analysis

SHA-1 is NOT quantum safe and is already classically broken.

How SHA-1 Works

SHA-1 (Secure Hash Algorithm 1) was designed by the NSA and published by NIST in 1995 as part of FIPS 180. It produces a 160-bit (20-byte) hash digest and was the dominant cryptographic hash function throughout the 2000s. SHA-1 processes input data in 512-bit blocks through 80 rounds of operations using five 32-bit working variables. The algorithm was used extensively for TLS/SSL certificates, git version control commit IDs, digital signatures (RSA-SHA1, DSA-SHA1), and software integrity verification.

However, theoretical weaknesses were identified as early as 2005, and practical attacks emerged by 2017, rendering SHA-1 cryptographically obsolete.

Quantum Vulnerability Explained

SHA-1 faces a devastating combination of classical and quantum vulnerabilities. Classically, SHA-1's 160-bit output provides only 80-bit collision resistance (birthday bound). In 2017, Google and CWI Amsterdam demonstrated the first practical SHA-1 collision attack (SHAttered), producing two different PDF files with identical SHA-1 hashes using approximately 2⁶³ operations — well within reach of modern computing.

Grover's algorithm further reduces SHA-1's already-broken security: preimage resistance drops from 2¹⁶⁰ to 2⁸⁰ operations, and collision resistance from 2⁸⁰ to approximately 2⁵³ operations. This makes SHA-1 trivially breakable on quantum computers, but the classical break is already catastrophic — quantum attacks are unnecessary.

The SHAttered attack demonstrated that adversaries could forge digital signatures, create malicious software updates appearing to be legitimate, and break certificate authority trust chains by creating rogue certificates with SHA-1 collisions. The attack cost (estimated $110,000 in 2017 cloud compute) has since declined, making SHA-1 collision generation increasingly accessible.

Migration Path

SHA-1 requires immediate emergency replacement due to classical vulnerabilities:

Replace with SHA-256 or SHA-384: All SHA-1 hashing should be replaced with SHA-256 (minimum) or SHA-384 (conservative). This includes certificate fingerprints, code signing, integrity verification, and commit hashing.

Git repositories: Git uses SHA-1 for commit IDs. While git's usage is somewhat resilient to collision attacks (due to tree structure verification), the git project is migrating to SHA-256. Organizations should plan git repository transitions to SHA-256.

Legacy certificates: Any X.509 certificates signed with SHA-1 (common before 2015) must be revoked and reissued. Browsers have distrusted SHA-1 certificates since 2017.

Software distribution: Package repositories, software update systems, and download verification using SHA-1 checksums provide no integrity protection. Migrate to SHA-256 signatures and checksums.

Industries at Risk

Software supply chains face critical SHA-1 exposure because legacy software distribution systems, package managers, and update mechanisms used SHA-1 checksums. While most have migrated to SHA-256, legacy systems and archived software may retain SHA-1 dependencies.

Git-based development workflows and version control systems used SHA-1 for commit IDs, creating collision-based attack vectors where adversaries could create malicious commits with identical SHA-1 hashes to legitimate commits. The git project is migrating to SHA-256 (git 2.29+), but legacy repositories remain vulnerable.

Certificate authorities and PKI systems issued SHA-1-signed certificates through approximately 2015. While browsers revoked trust in 2017, internal PKI systems and legacy enterprise applications may still trust SHA-1 certificates.

Timeline to Obsolescence

2005: Theoretical SHA-1 collision attacks published by Wang et al.
2013: NIST deprecated SHA-1 for digital signatures (NIST SP 800-131A).
2017: Google demonstrated practical SHA-1 collision (SHAttered attack). Browsers stopped trusting SHA-1 certificates.
2025-2026: SHA-1 is cryptographically broken. Any usage is a critical security vulnerability.

SHA-1 should be treated as having zero security value. Immediate replacement with SHA-256 or SHA-384 is mandatory, independent of quantum threats.

Full Name	Secure Hash Algorithm 1
Category	hash
Quantum Vulnerability	Classically broken (practical collision demonstrated 2017). Grover further reduces security.
NIST Status	Disallowed by NIST for digital signatures since 2013. Should not be used for any security purpose.
Deprecation Timeline	Already disallowed (since 2013)
Replaced By	SHA-256 or SHA-384

Migration Guidance

Replace immediately with SHA-256 or SHA-384. This is a critical classical vulnerability.

Related Algorithms

SHA-256

Secure Hash Algorithm 256-bit

SHA-384

Secure Hash Algorithm 384-bit

MD5

Message Digest Algorithm 5

How Qtonic Quantum Can Help

QScout Surface/Silver/Gold — Discover instances of SHA-1 across your infrastructure. 7-day cryptographic inventory with HNDL exposure scoring.

Assessment Methodology — 70+ modules covering cryptographic discovery, quantum threat modeling, and migration planning.

Back to Algorithm Database — Explore 25+ cryptographic algorithms and their quantum safety status.

Don’t Know Where SHA-1 Lives in Your Stack?

QScout discovers instances of SHA-1 across your infrastructure in 7 days — designed to minimize operational disruption. 72-hour time to first findings.

Schedule Assessment Try Risk Calculator

Assess your quantum-vulnerable cryptography with QScout, validate readiness with QStrike, or plan your migration with QSolve.