# New local collisions for the SHA-2 hash family

29 Nov 2007-pp 193-205

TL;DR: In this paper, the authors make a systematic study of local collisions for the SHA-2 family and identify certain impossible conditions for linear approximations of the constituent Boolean functions and compute the probabilities of the various differential paths.

Abstract: The starting point for collision attacks on practical hash functions is a local collision. In this paper, we make a systematic study of local collisions for the SHA-2 family. The possible linear approximations of the constituent Boolean functions are considered and certain impossible conditions for such approximations are identified. Based on appropriate approximations, we describe a general method for finding local collisions. Applying this method, we obtain several local collisions and compute the probabilities of the various differential paths. Previously, only one local collision due to Gilbert-Handschuh was known. We point out two impossible conditions in the GH local collision and provide an example of an impossible differential path for linearized SHA-2 using this local collision. Sixteen new local collisions are obtained none of which have any impossible conditions. The probabilities of these local collisions are a little less than the GH local collision. On the other hand, the absence of impossible conditions may make them more suitable for (reduced round) collision search attacks on the SHA-2 family.

##### Citations

More filters

••

04 Dec 2011TL;DR: This paper presents the first automated tool for finding complex differential characteristics in SHA-2 and shows that the techniques on SHA-1 cannot directly be applied toSHA-2, and shows how to overcome difficulties by including the search for conforming message pairs in thesearch for differential characteristics.

Abstract: In this paper, we analyze the collision resistance of SHA-2 and provide the first results since the beginning of the NIST SHA-3 competition. We extend the previously best known semi-free-start collisions on SHA-256 from 24 to 32 (out of 64) steps and show a collision attack for 27 steps. All our attacks are practical and verified by colliding message pairs. We present the first automated tool for finding complex differential characteristics in SHA-2 and show that the techniques on SHA-1 cannot directly be applied to SHA-2. Due to the more complex structure of SHA-2 several new problems arise. Most importantly, a large amount of contradicting conditions occur which render most differential characteristics impossible. We show how to overcome these difficulties by including the search for conforming message pairs in the search for differential characteristics.

85 citations

••

14 Dec 2008TL;DR: In this article, the authors presented new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08.

Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24-step SHA-256 attacks are respectively 211.5 and 228.5 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 216.5 and 232.5 calls. Using a look-up table having 232 (resp. 264) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 215.5 (resp. 222.5) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE '08. The reported computational efforts are 218 and 228.5 for 23 and 24-step SHA-256 respectively and 243.9 and 253 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

66 citations

•

TL;DR: New and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP '08 are provided.

Abstract: In this work, we provide new and improved attacks against 22, 23 and 24-step SHA-2 family using a local collision given by Sanadhya and Sarkar (SS) at ACISP ’08. The success probability of our 22-step attack is 1 for both SHA-256 and SHA-512. The computational efforts for the 23-step and 24step SHA-256 attacks are respectively 2 and 2 calls to the corresponding step reduced SHA-256. The corresponding values for the 23 and 24-step SHA-512 attack are respectively 2 and 2 calls. Using a look-up table having 2 (resp. 2) entries the computational effort for finding 24-step SHA-256 (resp. SHA-512) collisions can be reduced to 2 (resp. 2) calls. We exhibit colliding message pairs for 22, 23 and 24-step SHA-256 and SHA-512. This is the first time that a colliding message pair for 24-step SHA-512 is provided. The previous work on 23 and 24-step SHA-2 attacks is due to Indesteege et al. and utilizes the local collision presented by Nikolic and Biryukov (NB) at FSE ’08. The reported computational efforts are 2 and 2 for 23 and 24-step SHA-256 respectively and 2 and 2 for 23 and 24-step SHA-512. The previous 23 and 24-step attacks first constructed a pseudo-collision and later converted it into a collision for the reduced round SHA-2 family. We show that this two step procedure is unnecessary. Although these attacks improve upon the existing reduced round SHA-2 attacks, they do not threaten the security of the full SHA-2 family.

54 citations

••

10 Feb 2008TL;DR: A differential that holds with high probability if the message satisfies certain conditions is developed, which helps to find collisions for step-reduced SHA-256.

Abstract: In this article we find collisions for step-reduced SHA-256. We develop a differential that holds with high probability if the message satisfies certain conditions. We solve the equations that arise from the conditions. Due to the carefully chosen differential and word differences, the message expansion of SHA-256 has little effect on spreading the differences in the words. This helps us to find full collision for 21-step reduced SHA-256, semi-free start collision, i.e. collision for a different initial value, for 23-step reduced SHA-256, and semi-free start near collision (with only 15 bit difference out of 256 bits) for 25-step reduced SHA-256.

52 citations

••

23 Aug 2009TL;DR: In this article, the first collision attacks on SHA-256 were presented in 23 and 24 steps with complexities of 218 and 228.5, respectively, and a collision attack for up to 22 steps.

Abstract: We study the security of step-reduced but otherwise unmodified SHA-256. We show the first collision attacks on SHA-256 reduced to 23 and 24 steps with complexities 218 and 228.5, respectively. We give example colliding message pairs for 23-step and 24-step SHA-256. The best previous, recently obtained result was a collision attack for up to 22 steps. We extend our attacks to 23 and 24-step reduced SHA-512 with respective complexities of 244.9 and 253.0. Additionally, we show non-random behaviour of the SHA-256 compression function in the form of free-start near-collisions for up to 31 steps, which is 6 more steps than the recently obtained non-random behaviour in the form of a semi-free-start near-collision. Even though this represents a step forwards in terms of cryptanalytic techniques, the results do not threaten the security of applications using SHA-256.

34 citations

##### References

More filters

[...]

01 Jan 1996

TL;DR: From the Publisher: Mathematica has defined the state of the art in technical computing for over a decade, and has become a standard in many of the world's leading companies and universities.

Abstract: From the Publisher:
Mathematica has defined the state of the art in technical computing for over a decade, and has become a standard in many of the world's leading companies and universities. From simple calculator operations to large-scale programming and the preparation of interactive documents, Mathematica is the tool of choice.

3,115 citations

••

14 Aug 2005TL;DR: This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound, and it is shown that collisions ofSHA-1 can be found with complexityLess than 269 hash operations.

Abstract: In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 269 hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 280 theoretical bound.

1,600 citations

••

22 May 2005TL;DR: A new powerful attack on MD5 is presented, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure.

Abstract: MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

1,583 citations

••

22 May 2005TL;DR: In this article, a chosen-message pre-image attack on MD4 with complexity below 28 was presented, where the complexity is only a single MD4 computation and a random message is a weak message with probability 2−2 to 2−6.

Abstract: MD4 is a hash function developed by Rivest in 1990 It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations In this paper, we present a new attack on MD4 which can find a collision with probability 2−2 to 2−6, and the complexity of finding a collision doesn't exceed 28 MD4 hash operations Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28 Furthermore, we show that for a weak message, we can find another message that produces the same hash value The complexity is only a single MD4 computation, and a random message is a weak message with probability 2−122
The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations

501 citations

•

TL;DR: In this article, the security of SHA-256, SHA-384 and SHA-512 against collision attacks was studied. But the authors concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks also don't apply on the underlying structure.

Abstract: This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux's attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don't apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric constants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, symmetric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes.

226 citations