## Collisions and other Non-Random Properties for Step-Reduced SHA-256. Cryptology eprint Archive, April 2008. Available at http://eprint.iacr

Citations: | 12 - 2 self |

### BibTeX

@MISC{Indesteege_collisionsand,

author = {Sebastiaan Indesteege and Florian Mendel and Bart Preneel and Christian Rechberger},

title = {Collisions and other Non-Random Properties for Step-Reduced SHA-256. Cryptology eprint Archive, April 2008. Available at http://eprint.iacr},

year = {}

}

### OpenURL

### Abstract

Abstract. We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities 2 18 and 2 28.5, respectively. We give example colliding message pairs for 23-step and 24-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24-step reduced SHA-512 with respective complexities of 2 44.9 and 2 53.0. Additionally, we show nonrandom behaviour of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a free-start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256. Keywords: SHA-256, SHA-512, hash functions, collisions, semi-freestart collisions, free-start collisions, free-start near-collisions.

### Citations

53 | Hash functions based on block ciphers
- Lai, Massey
(Show Context)
Citation Context ...end beyond 24 steps, but we investigate several weaker collision style attacks on a larger number of rounds. Our results are summarised in Table 1. We use the terminology introduced by Lai and Massey =-=[5]-=- for different types of attacks on (iterated) hash functions. A collision attack aims to find two distinct messages that hash to the same result. In a semifree-start collision attack, the attacker is ... |

44 |
Differential Collisions in SHA-0
- Chabaud, Joux
- 1998
(Show Context)
Citation Context ... all Σ- and σ-functions are removed. The conclusion is that for this variant, collisions can be found much faster than by brute force search. The work shows that the approach used by Chabaud and Joux =-=[1]-=- in their analysis of SHA-0 is extensible to that particular variant of SHA-256. The message expansion as a building block on its own was studied by Matusiewicz et al. [8] and Pramstaller et al. [12].... |

30 |
Security Analysis of SHA-256 and Sisters
- Gilbert, Handschuh
- 2003
(Show Context)
Citation Context ...mily, including SHA-1, suggest that the concept of local collisions might also be important for the SHA-2 family. The first published analysis on members of the SHA-2 family, by Gilbert and Handschuh =-=[2]-=-, goes in this direction. They show that there exists a 9-step local collision with probability 2 −66 . Later on, the result was improved by Hawkes et al. [3]. By considering modular differences, they... |

22 |
On Corrective Patterns for the SHA-2 Family. Cryptology eprint Archive, August 2004. Available at http://eprint.iacr.org/2004/207
- Hawkes, Paddon, et al.
(Show Context)
Citation Context ...he SHA-2 family, by Gilbert and Handschuh [2], goes in this direction. They show that there exists a 9-step local collision with probability 2 −66 . Later on, the result was improved by Hawkes et al. =-=[3]-=-. By considering modular differences, they increased the probability to 2 −39 . Using XOR differences, local collisions with probability as high as 2 −38 where used by Hölbl et al. [4]. Local collisio... |

15 | Analysis of step-reduced SHA-256
- Mendel, Pramstaller, et al.
- 2006
(Show Context)
Citation Context ...udied by Matusiewicz et al. [8] and Pramstaller et al. [12]. Finally, we discuss previous work that focuses on step-reduced but otherwise unmodified SHA-256. The first study was done by Mendel et al. =-=[9]-=-. The results obtained are a practical 18-step collision and a differential characteristic for 19-step SHA-224 collision. Also, an example of a pseudonear-collision for 22-step SHA-256 is given. Simil... |

15 |
Biryukov A. Analysis of a SHA-256 variant
- Yoshida
- 2005
(Show Context)
Citation Context ...al. [4]. Local collisions with lower probability but with other properties were studied by Sanadhya and Sarkar in [13]. Now we turn our attention to the analysis of simplified variants of SHA-256. In =-=[17]-=-, Yoshida and Biryukov replace all modular additions by XOR. For this variant, a search for pseudo-collisions is described, which is faster than brute force search for up to 34 steps. Matusiewicz et a... |

8 |
Analysis of simplified variants of SHA-256
- Matusiewicz, Pieprzyk, et al.
- 2005
(Show Context)
Citation Context ...oshida and Biryukov replace all modular additions by XOR. For this variant, a search for pseudo-collisions is described, which is faster than brute force search for up to 34 steps. Matusiewicz et al. =-=[8]-=- analysed a variant of SHA-256 where all Σ- and σ-functions are removed. The conclusion is that for this variant, collisions can be found much faster than by brute force search. The work shows that th... |

6 | On the Additive Differential Probability of Exclusive-Or
- Lipmaa, Wallén, et al.
- 2004
(Show Context)
Citation Context ...he attack. σ1 (W16 + 1) − σ1 (W16) − Σ1 (ǫ − 1) + Σ1 (ǫ) − fch (ǫ − 1, 0, γ + 1) + fch (ǫ, −1, γ + 1) = 0 . (5) σ1 (W17 − 1) − σ1 (W17) − fch (β, ǫ − 1, 0) + fch (β, ǫ, −1) = 0 . (6) β = α − Σ0 (α) . =-=(7)-=- fch (β, β, ǫ − 1) − fch (β, β, ǫ) = −1 . (8) The first phase guarantees that the constants are such that these conditions are satisfied. The second phase of the attack has a negligible complexity and... |

5 |
Lipmaa and Shiho Moriai. Efficient algorithms for computing differential properties of addition
- Helger
(Show Context)
Citation Context ... the first phase of the attack. σ1 (W16 + 1) − σ1 (W16) − Σ1 (ǫ − 1) + Σ1 (ǫ) − fch (ǫ − 1, 0, γ + 1) + fch (ǫ, −1, γ + 1) = 0 . (5) σ1 (W17 − 1) − σ1 (W17) − fch (β, ǫ − 1, 0) + fch (β, ǫ, −1) = 0 . =-=(6)-=- β = α − Σ0 (α) . (7) fch (β, β, ǫ − 1) − fch (β, β, ǫ) = −1 . (8) The first phase guarantees that the constants are such that these conditions are satisfied. The second phase of the attack has a negl... |

4 | Non-Linear Reduced Round Attacks Against
- Sanadhya, Sarkar
- 2008
(Show Context)
Citation Context ...hnique, Nikolić and Biryukov [10] obtained collisions for up to 21 steps and non-random behaviour in the form of semi-free-start near-collisions for up to 25 steps. Very recently, Sanadhya and Sarkar =-=[16]-=- extended this, and showed a collision example for 22 steps of SHA-256 in [14]. 1.2 Our Contribution We extend the work of Nikolić and Biryukov [10] to collisions for 23and 24-step SHA-256 with respec... |

2 |
Preliminary Analysis of the SHA-256 Message Expansion
- Pramstaller, Rechberger, et al.
(Show Context)
Citation Context ...x [1] in their analysis of SHA-0 is extensible to that particular variant of SHA-256. The message expansion as a building block on its own was studied by Matusiewicz et al. [8] and Pramstaller et al. =-=[12]-=-. Finally, we discuss previous work that focuses on step-reduced but otherwise unmodified SHA-256. The first study was done by Mendel et al. [9]. The results obtained are a practical 18-step collision... |

1 |
Searching for messages conforming to arbitrary sets of conditions in SHA-256
- Hölbl, Rechberger, et al.
- 2008
(Show Context)
Citation Context ...y Hawkes et al. [3]. By considering modular differences, they increased the probability to 2 −39 . Using XOR differences, local collisions with probability as high as 2 −38 where used by Hölbl et al. =-=[4]-=-. Local collisions with lower probability but with other properties were studied by Sanadhya and Sarkar in [13]. Now we turn our attention to the analysis of simplified variants of SHA-256. In [17], Y... |

1 |
Sanadhya and Palash Sarkar. New Local Collisions for the SHA-2 Hash Family
- Sarkar
- 2008
(Show Context)
Citation Context ...ifferences, local collisions with probability as high as 2 −38 where used by Hölbl et al. [4]. Local collisions with lower probability but with other properties were studied by Sanadhya and Sarkar in =-=[13]-=-. Now we turn our attention to the analysis of simplified variants of SHA-256. In [17], Yoshida and Biryukov replace all modular additions by XOR. For this variant, a search for pseudo-collisions is d... |

1 |
Sanadhya and Palash Sarkar. Attacking Reduced Round SHA-256
- Kumar
- 2008
(Show Context)
Citation Context ...tep SHA-224 collision. Also, an example of a pseudonear-collision for 22-step SHA-256 is given. Similar techniques have been studied by Matusiewicz et al. [8] and recently also by Sanadhya and Sarkar =-=[15]-=-. Using a different technique, Nikolić and Biryukov [10] obtained collisions for up to 21 steps and non-random behaviour in the form of semi-free-start near-collisions for up to 25 steps. Very recentl... |

1 |
at step 11 by fixing the state variables in this step, A11, · · · , H11 as indicated in Table 3. The constants α, β, γ and ǫ are given by the first phase of the attack
- Start
(Show Context)
Citation Context ... all Σ- and σ-functions are removed. The conclusion is that for this variant, collisions can be found much faster than by brute force search. The work shows that the approach used by Chabaud and Joux =-=[1]-=- in their analysis of SHA-0 is extensible to that particular variant of SHA-256. The message expansion as a building block on its own was studied by Matusiewicz et al. [8] and Pramstaller et al. [12].... |

1 |
a similar way, calculate W12 such that E13 = β and W ′ 12 such that E ′ 13 = β. This also guarantees that A13 = A ′ 13 because the majority function absorbs the difference in C12
- In
(Show Context)
Citation Context ...he SHA-2 family, by Gilbert and Handschuh [2], goes in this direction. They show that there exists a 9-step local collision with probability 2 −66 . Later on, the result was improved by Hawkes et al. =-=[3]-=-. By considering modular differences, they increased the probability to 2 −39 . Using XOR differences, local collisions with probability as high as 2 −38 where used by Hölbl et al. [4]. Local collisio... |