Attacking Reduced Round SHA-256

The SHA-256 hash function has started getting attention recently by the cryptanalysis community due to the various weaknesses found in its predecessors such as MD4, MD5, SHA-0 and SHA-1. We make two contributions in this work. First we describe message modification techniques and use them to obtain an algorithm to generate message pairs which collide for the actual SHA-256 reduced to 18 steps. Our second contribution is to present differential paths for 19, 20, 21, 22 and 23 steps of SHA-256. We construct parity check equations in a novel way to find these characteristics. Further, the 19-step differential path presented here is constructed by using only 15 local collisions, as against the previously known 19-step near collision differential path which consists of interleaving of 23 local collisions. Our 19-step differential path can also be seen as a single local collision at the message word level. We use a linearized local collision in this work. These results do not cause any threat to the security of the SHA-256 hash function.

[1]  Krystian Matusiewicz,et al.  Analysis of Modern Dedicated Cryptographic Hash Functions , 2007 .

[2]  Alex Biryukov,et al.  Collisions for Step-Reduced SHA-256 , 2008, FSE.

[3]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[4]  Vincent Rijmen,et al.  Analysis of simplified variants of SHA-256 , 2005, WEWoRC.

[5]  Palash Sarkar,et al.  New Local Collisions for the SHA-2 Hash Family , 2007, IACR Cryptol. ePrint Arch..

[6]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[7]  Alex Biryukov,et al.  Analysis of a SHA-256 Variant , 2005, Selected Areas in Cryptography.

[8]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[9]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[10]  Philip Hawkes,et al.  On Corrective Patterns for the SHA-2 Family , 2004, IACR Cryptol. ePrint Arch..

[11]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[12]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[13]  Vincent Rijmen,et al.  Update on SHA-1 , 2005, CT-RSA.

[14]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[15]  Vincent Rijmen,et al.  Analysis of Step-Reduced SHA-256 , 2006, FSE.

[16]  Vincent Rijmen,et al.  Exploiting Coding Theory for Collision Attacks on SHA-1 , 2005, IMACC.

[17]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[18]  Helena Handschuh,et al.  Security Analysis of SHA-256 and Sisters , 2003, Selected Areas in Cryptography.

[19]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[20]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[21]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.