Preliminary Analysis of DHA-256

DHA-256 was presented at the Cryptographic Hash Workshop hosted by NIST in November 2005. DHA-256 (Double Hash Algorithm) was proposed to enhance the security of SHA-256. We present a preliminary analysis of the message expansion and give an alternative 9-step local collision for DHA-256. 1 Short Description of DHA-256 The structure of DHA-256 [1] is very similar to the one of SHA-256. The differences are a modified message expansion and a modified state update. The main difference is that the expanded message words are used twice in each step of the state update, therefore the name Double Hash Algorithm. The message expansion is defined as follows: Wi = Mi 0 ≤ i ≤ 15 Wi = σ1(Wi−1) + Wi−9 + σ2(Wi−15) + Wi−16 16 ≤ i ≤ 63 , where σ1(x) = x⊕ (x ¿ 7)⊕ (x ¿ 22) and σ2(x) = x⊕ (x ¿ 13)⊕ (x ¿ 27). The i-th step of the state update is defined as follows: Hi+1 = Ai + SS1(Di) + f(Bi, Ci, Di) + Wi + Ki Bi+1 = Ci ¿ 17 Di+1 = Ei + SS2(Hi) + g(Fi, Gi, Hi) + Wi + Ki Fi+1 = Gi ¿ 2 Ai+1 = Bi Ci+1 = Di Ei+1 = Fi Gi+1 = Hi , where SS1(x) = x⊕(x ¿ 11)⊕(x ¿ 25) and SS2(x) = x⊕(x ¿ 19)⊕(x ¿ 29). The functions f(x, y, z) and g(x, y, z) correspond to the functions CH(x, y, z) and MAJ(x, y, z) of SHA-256 [2]. Also the IV s are the same as for SHA-256. ? The work in this paper has been supported by the Austrian Science Fund (FWF), project P18138. 2 Message Expansion of DHA-256 For the analysis of the message expansion we replace the modular additions by XOR-operations. We search for low-weight differences from step 24 to step 55 by using algorithms from coding theory. The difference with the smallest weight found for the linearized message expansion is given in Table 1. For 32 steps (from step 24 to step 55) we find a minimum weight of 10. In [1] a weight of 63 is presented. The low-weight difference vector given in Table 1 is also valid for the message expansion with the modular additions left in place. Table 1. 32-step difference for the message expansion of DHA-256. step Wi step Wi i = 24 0x00000000 i = 40 0x00000000 i = 25 0x00000000 i = 41 0x00000000 i = 26 0x00000000 i = 42 0x00000000 i = 27 0x00000000 i = 43 0x00000000 i = 28 0x00000000 i = 44 0x00000000 i = 29 0x00000000 i = 45 0x00000000 i = 30 0x00000000 i = 46 0x00004000 i = 31 0x00000000 i = 47 0x00000000 i = 32 0x00000000 i = 48 0x00000000 i = 33 0x00000000 i = 49 0x00000000 i = 34 0x00000000 i = 50 0x00000000 i = 35 0x00000000 i = 51 0x00000000 i = 36 0x00000000 i = 52 0x08004200 i = 37 0x00004000 i = 53 0x00004000 i = 38 0x00204010 i = 54 0x00000000 i = 39 0x00000000 i = 55 0x00004000 total Hamming weight for 32 steps: 10 3 9-Step Local Collision for DHA-256 In [1] the authors provide a 9-step local collision, also referred to as inner collision pattern, that leads to a real (with modular addition) 9-step collision with probability 2−64. After the introduction of the 1-bit difference Wi (disturbance) the correction pattern in [1] is defined as shown in Table 2. The given complexity of 2−64 corresponds to a disturbance in the MSB, i.e. Wi = 0x80000000. In order to construct a 9-step local collision with the pattern given in Table 2 it is required that input differences to the functions f and g are ‘blocked’, i.e. conditions are set such that a input difference does not propagate through f and g. However, this differential property can not always be guaranteed. For instance if the input difference to f is B′ i,j = 0, C ′ i,j = 1, and D′ i,j = 1 the output difference of f is always 1. According to our computations,