Preimages for Step-Reduced SHA-2

In this paper, we present preimage attacks on up to 43-step SHA-256 (around 67% of the total 64 steps) and 46-step SHA-512 (around 57.5% of the total 80 steps), which significantly increases the number of attacked steps compared to the best previously published preimage attack working for 24 steps. The time complexities are 2251.9, 2509 for finding pseudo-preimages and 2254.9, 2511.5 compression function operations for full preimages. The memory requirements are modest, around 26 words for 43-step SHA-256 and 46-step SHA-512. The pseudo-preimage attack also applies to 43-step SHA-224 and SHA-384. Our attack is a meet-in-the-middle attack that uses a range of novel techniques to split the function into two independent parts that can be computed separately and then matched in a birthday-style phase.

[1]  Palash Sarkar,et al.  New Collision Attacks against Up to 24-Step SHA-2 , 2008, INDOCRYPT.

[2]  Alex Biryukov,et al.  Analysis of a SHA-256 Variant , 2005, Selected Areas in Cryptography.

[3]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[4]  Markku-Juhani O. Saarinen A Meet-in-the-Middle Collision Attack Against the New FORK-256 , 2007, IACR Cryptol. ePrint Arch..

[5]  Woo-Hwan Kim,et al.  Preimage Attack on ARIRANG , 2009, IACR Cryptol. ePrint Arch..

[6]  Xiaoyun Wang,et al.  The Second-Preimage Attack on MD4 , 2005, CANS.

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[9]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[10]  Kyoji Shibutani,et al.  Preimage Attacks on Reduced Tiger and SHA-2 , 2009, FSE.

[11]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[12]  Helena Handschuh,et al.  Security Analysis of SHA-256 and Sisters , 2003, Selected Areas in Cryptography.

[13]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[14]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[15]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[16]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[17]  Jennifer Seberry,et al.  HAVAL - A One-Way Hashing Algorithm with Variable Length of Output , 1992, AUSCRYPT.

[18]  Palash Sarkar,et al.  Non-linear Reduced Round Attacks against SHA-2 Hash Family , 2008, ACISP.

[19]  Vincent Rijmen,et al.  Analysis of Step-Reduced SHA-256 , 2006, FSE.

[20]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[21]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[22]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[23]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[24]  Yu Sasaki Meet-in-the-Middle Attacks Using Output Truncation in 3-Pass HAVAL , 2009, ISC.

[25]  Willi Meier,et al.  Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5 , 2009, Selected Areas in Cryptography.

[26]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[27]  Alex Biryukov,et al.  Collisions for Step-Reduced SHA-256 , 2008, FSE.

[28]  Bart Preneel,et al.  Collisions and other Non-Random Properties for Step-Reduced SHA-256 , 2009, IACR Cryptol. ePrint Arch..

[29]  Vincent Rijmen,et al.  Analysis of simplified variants of SHA-256 , 2005, WEWoRC.

[30]  Yu Sasaki,et al.  Preimage Attacks on 3, 4, and 5-Pass HAVAL , 2008, ASIACRYPT.

[31]  Yu Sasaki,et al.  Preimage Attacks on Step-Reduced MD5 , 2008, ACISP.

[32]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.