Collisions and Other Non-random Properties for Step-Reduced SHA-256

Indesteege, Sebastiaan; Mendel, Florian; Preneel, Bart; Rechberger, Christian

doi:10.1007/978-3-642-04159-4_18

Cited by 39 publications

(41 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The best collision attacks so far are extensions of [31]. Indesteege et al [13] and Sanadhya and Sarkar [33], both presented collision attacks for 24 steps. We want to note that in contrast to the preimage attacks all these attacks are of practical complexity.…”

Section: Application To Sha-256mentioning

confidence: 99%

“…Apart from being marked as 'relying on the same design principle as SHA-1 and MD5', the best attack to date on SHA-256 is a collision attack for 24 out of 64 steps with practical complexity [13,33] and a preimage attack on 45 steps [18] having a complexity of 2 255.5 . Higher-order differentials have been introduced by Lai in [21] and first applied to block ciphers by Knudsen in [20].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Second-Order Differential Collisions for Reduced SHA-256

Biryukov

Lamberger

Mendel

et al. 2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In this work, we introduce a new non-random property for hash/compression functions using the theory of higher order differentials. Based on this, we show a second-order differential collision for the compression function of SHA-256 reduced to 47 out of 64 steps with practical complexity. We have implemented the attack and provide an example. Our results suggest that the security margin of SHA-256 is much lower than the security margin of most of the SHA-3 finalists in this setting. The techniques employed in this attack are based on a rectangle/boomerang approach and cover advanced search algorithms for good characteristics and message modification techniques. Our analysis also exposes flaws in all of the previously published related-key rectangle attacks on the SHACAL-2 block cipher, which is based on SHA-256. We provide valid rectangles for 48 steps of SHACAL-2.

show abstract

Section: Application To Sha-256mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Second-Order Differential Collisions for Reduced SHA-256

Biryukov

Lamberger

Mendel

et al. 2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…In particular, the work by Nikolić and Biryukov improved the collision techniques [6]. The best collision attacks so far are the ones proposed by Indesteege et al [7] and Sanadhya and Sarkar [8], both describing collision attacks for 24 steps. The only analysis of preimage resistance we are aware of is a recent attack on 24 steps of SHA-2 due to Isobe and Shibutani [9].…”

Section: Introductionmentioning

confidence: 99%

Preimages for Step-Reduced SHA-2

Aoki

Guo

Matusiewicz

et al. 2009

Lecture Notes in Computer Science

117

View full text Add to dashboard Cite

Abstract. In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2 251.9 , 2 509 for finding pseudo-preimages and 2 254.9 , 2 511.5 compression function operations for full preimages. The memory requirements are modest, around 2 6 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

show abstract

“…Then in [25] Nikolić and Biryukov improved the collision techniques and constructed a practical collision for 21 steps and a semi-free-start collision for 23 steps of SHA-256. This was later extended to 24 steps on SHA-256 and SHA-512 by Sanadhya and Sarkar [26], and Indesteege et al [11]. Then Mendel et al improved the semi-free-start collisions on SHA-256 from 24 to 32 steps and gave a collision attack for 27 steps, which are all practical [19].…”

Section: Introductionmentioning

confidence: 99%

“…In [11], Indesteege et al show nonrandom behavior of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps. In [17], Lamberger and Mendel gave a second-order differential collision on 46 steps of SHA-256 compression function.…”

Section: Introductionmentioning

confidence: 99%

Boomerang Attack on Step-Reduced SHA-512

Bai

2015

Information Security and Cryptology

View full text Add to dashboard Cite

Abstract. SHA-2 (SHA-224, SHA-256, SHA-384 and SHA-512) is hash function family issued by the National Institute of Standards and Technology (NIST) in 2002 and is widely used all over the world. In this work, we analyze the security of SHA-512 with respect to boomerang attack. Boomerang distinguisher on SHA-512 compression function reduced to 48 steps is proposed, with a practical complexity of 2 51 . A practical example of the distinguisher for 48-step SHA-512 is also given. As far as we know, it is the best practical attack on step-reduced SHA-512.

show abstract

Collisions and Other Non-random Properties for Step-Reduced SHA-256

Cited by 39 publications

References 13 publications

Second-Order Differential Collisions for Reduced SHA-256

Second-Order Differential Collisions for Reduced SHA-256

Preimages for Step-Reduced SHA-2

Boomerang Attack on Step-Reduced SHA-512

Contact Info

Product

Resources

About