NIST is introducing a plan to transition away from the current limited use of the Secure Hash Algorithm 1 (SHA-1) hash function. Other approved hash functions are already available. The transition will be completed by December 31, 2030, and NIST will engage with stakeholders throughout the transition process.
SHA-1 was first specified in 1995 in Federal Information Processing Standard (FIPS) 180-1, Secure Hash Standard (SHS). In 2005, a serious cryptanalytic attack was announced about SHA-1’s collision resistance – a necessary property for its use in digital signature applications. NIST responded in 2006 with an announcement encouraging a rapid transition to the use of the SHA-2 family of hash functions for digital signature applications, which were initially specified in FIPS 180-2. NIST began a competitive process to develop an additional hash function, which resulted in the SHA-3 family of hash functions published in 2015 as FIPS 202. In 2011, NIST released SP 800-131A, which announced the deprecation of SHA-1 when generating new digital signatures and restricted further use of SHA-1 to only where allowed in NIST protocol-specific guidance.
Cryptanalytic attacks on the SHA-1 hash function as used in other applications have become increasingly severe in recent years ("SHA-1 is a Shambles" by Leurent and Peyrin, 2020). As a result, NIST will transition away from the use of SHA-1 for applying cryptographic protection to all applications by December 31, 2030. Note that after this termination date, it may be necessary to use SHA-1 for handling information protected prior to the termination date; the SHA-1 specification will remain available for this purpose.
Before December 31, 2030, NIST plans to:
Throughout this process, NIST will actively engage with government agencies, validation testing laboratories, vendors, Standards Developing Organizations, sector/industry organizations, users, and other stakeholders to minimize potential impacts and facilitate a smooth transition.
NIST encourages these entities to begin planning for this transition now. By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process.